Keycloak Oauth Implementation Error

GHSA-qc72-gfvw-76h7 · CVE-2017-12160

Published May 13, 2022 · Modified Feb 16, 2024

Description

It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2017-12160
WEB https://access.redhat.com/errata/RHSA-2017:2904
WEB https://access.redhat.com/errata/RHSA-2017:2905
WEB https://access.redhat.com/errata/RHSA-2017:2906
WEB https://bugzilla.redhat.com/show_bug.cgi?id=1484154
PACKAGE https://github.com/keycloak/keycloak

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes