CVE-2017-12160

It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks.
References
Link Resource
https://bugzilla.redhat.com/show_bug.cgi?id=1484154 Issue Tracking Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2906 Issue Tracking Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2905 Issue Tracking Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2904 Issue Tracking Third Party Advisory
Advertisement

NeevaHost hosting service

Configurations

Configuration 1 (hide)

cpe:2.3:a:redhat:keycloak:-:*:*:*:*:*:*:*

Information

Published : 2017-10-26 10:29

Updated : 2020-08-19 08:49


NVD link : CVE-2017-12160

Mitre link : CVE-2017-12160


JSON object : View

CWE
CWE-287

Improper Authentication

Advertisement

dedicated server usa

Products Affected

redhat

  • keycloak