CVE-2022-1245

A privilege escalation flaw was found in the token exchange feature of keycloak. Missing authorization allows a client application holding a valid access token to exchange tokens for any target client by passing the client_id of the target. This could allow a client to gain unauthorized access to additional services.

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/keycloak/keycloak/security/advisories/GHSA-75p6-52g3-rqc8	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*

History

27 Jun 2023, 15:57

Type	Values Removed	Values Added
CWE	~~CWE-862~~	CWE-639

Information

Published : 2022-07-08 00:15

Updated : 2024-02-28 19:29

NVD link : CVE-2022-1245

Mitre link : CVE-2022-1245

CVE.ORG link : CVE-2022-1245

JSON object : View

Products Affected

redhat

keycloak

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

CWE-862

Missing Authorization

{"id": "CVE-2022-1245", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2022-07-08T00:15:07.937", "references": [{"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-75p6-52g3-rqc8", "tags": ["Third Party Advisory"], "source": "secalert@redhat.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-639"}]}, {"type": "Secondary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "A privilege escalation flaw was found in the token exchange feature of keycloak. Missing authorization allows a client application holding a valid access token to exchange tokens for any target client by passing the client_id of the target. This could allow a client to gain unauthorized access to additional services."}, {"lang": "es", "value": "Se ha encontrado un fallo de escalada de privilegios en la funcionalidad token exchange de keycloak. Una falta de autorizaci\u00f3n permite que una aplicaci\u00f3n cliente que tenga un token de acceso v\u00e1lido pueda intercambiar tokens para cualquier cliente de destino pasando el client_id del mismo. Esto podr\u00eda permitir a un cliente conseguir acceso no autorizado a servicios adicionales"}], "lastModified": "2023-11-07T03:41:50.320", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EC308493-1A81-4D85-B568-ECAA9AE15A82", "versionEndExcluding": "18.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}