CVE-2017-12160

It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks.
References
Link Resource
https://access.redhat.com/errata/RHSA-2017:2904 Issue Tracking Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2905 Issue Tracking Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2906 Issue Tracking Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1484154 Issue Tracking Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:redhat:keycloak:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2017-10-26 17:29

Updated : 2024-02-28 16:04


NVD link : CVE-2017-12160

Mitre link : CVE-2017-12160

CVE.ORG link : CVE-2017-12160


JSON object : View

Products Affected

redhat

  • keycloak
CWE
CWE-287

Improper Authentication

CWE-285

Improper Authorization