CVE-2025-12110

Опубликовано: 23 окт. 2025

Источник: nvd

CVSS3: 5.4

EPSS Низкий

Описание

A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and assumes that offline sessions are no longer available, but they are.

Ссылки

https://access.redhat.com/errata/RHSA-2025:21370
https://access.redhat.com/errata/RHSA-2025:21371
https://access.redhat.com/errata/RHSA-2025:22088
https://access.redhat.com/errata/RHSA-2025:22089
https://access.redhat.com/security/cve/CVE-2025-12110
https://bugzilla.redhat.com/show_bug.cgi?id=2406033
https://github.com/keycloak/keycloak/pull/43790

EPSS

Процентиль: 14%

0.00047

Низкий

5.4 Medium

CVSS3

Дефекты

CWE-613

Связанные уязвимости

CVE-2025-12110

CVSS3: 5.4

debian

4 месяца назад

A flaw was found in Keycloak. An offline session continues to be valid ...

GHSA-895x-rfqp-jh5c

CVSS3: 5.4

github

4 месяца назад

Keycloak does not invalidate offline sessions when the offline_access scope is removed

EPSS

Процентиль: 14%

0.00047

Низкий

5.4 Medium

CVSS3

Дефекты

CWE-613