Описание
A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. This allows concurrent refresh requests to bypass single-use enforcement and issue multiple access tokens from the same refresh token. As a result, Keycloak’s refresh token rotation hardening can be undermined.
Отчет
This vulnerability is rated LOW for Red Hat. A race condition in the Keycloak TokenManager allows an attacker to bypass the refreshTokenMaxReuse security policy when it is explicitly configured for strict single-use (set to zero). This enables a single refresh token to be exchanged for multiple valid access tokens through concurrent requests, undermining the Refresh Token Rotation hardening measure.
Меры по смягчению последствий
To mitigate this issue, configure the refreshTokenMaxReuse policy in Keycloak to a value greater than zero. This prevents the race condition by allowing a limited number of reuses for refresh tokens, thereby maintaining the integrity of the Refresh Token Rotation hardening measure. Consult Keycloak documentation for specific configuration instructions. Changes to Keycloak configuration typically require a service restart or redeployment to take effect.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Build of Keycloak | rhbk/keycloak-rhel9 | Affected | ||
| Red Hat JBoss Enterprise Application Platform 8 | keycloak-services | Not affected | ||
| Red Hat JBoss Enterprise Application Platform Expansion Pack | keycloak-services | Not affected | ||
| Red Hat Single Sign-On 7 | keycloak-services | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
3.1 Low
CVSS3
Связанные уязвимости
A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. This allows concurrent refresh requests to bypass single-use enforcement and issue multiple access tokens from the same refresh token. As a result, Keycloak’s refresh token rotation hardening can be undermined.
A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. This allows concurrent refresh requests to bypass single-use enforcement and issue multiple access tokens from the same refresh token. As a result, Keycloak’s refresh token rotation hardening can be undermined.
A flaw was found in the Keycloak server during refresh token processin ...
Keycloak does not validate and update refresh token usage atomically
EPSS
3.1 Low
CVSS3