GHSA-7fpj-9hr8-28vh

Опубликовано: 17 апр. 2024

Источник: github

Github: Прошло ревью

CVSS3: 3.4

Описание

Keycloak vulnerable to impersonation via logout token exchange

Keycloak was found to not properly enforce token types when validating signatures locally. An authenticated attacker could use this flaw to exchange a logout token for an access token and possibly gain access to data outside of enforced permissions.

Ссылки

Пакеты

Наименование

org.keycloak:keycloak-services

maven

Затронутые версииВерсия исправления

< 22.0.10

22.0.10

Наименование

org.keycloak:keycloak-services

maven

Затронутые версииВерсия исправления

>= 23.0.0, < 24.0.3

24.0.3

EPSS

Процентиль: 12%

0.0004

Низкий

3.4 Low

CVSS3

CVE ID

CVE-2023-0657

Дефекты

CWE-273

CWE-284

CWE-287

CWE-290

CWE-347

Связанные уязвимости

CVE-2023-0657

CVSS3: 3.4

redhat

почти 2 года назад

A flaw was found in Keycloak. This issue occurs due to improperly enforcing token types when validating signatures locally. This could allow an authenticated attacker to exchange a logout token for an access token and possibly gain access to data outside of enforced permissions.

CVE-2023-0657

CVSS3: 3.4

nvd

около 1 года назад

CVE-2023-0657

CVSS3: 3.4

debian

около 1 года назад

A flaw was found in Keycloak. This issue occurs due to improperly enfo ...

EPSS

Процентиль: 12%

0.0004

Низкий

3.4 Low

CVSS3

CVE ID

CVE-2023-0657

Дефекты

CWE-273

CWE-284

CWE-287

CWE-290

CWE-347