CVE-2017-12160 – org.keycloak:keycloak-parent

Package

Manager: maven
Name: org.keycloak:keycloak-parent
Vulnerable Version: >=0 <3.3.0.final

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.0046 pctl0.63199

Details

Keycloak Oauth Implementation Error It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks.

Metadata

Created: 2022-05-13T01:23:16Z
Modified: 2023-10-10T14:39:13Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-qc72-gfvw-76h7/GHSA-qc72-gfvw-76h7.json
CWE IDs: ["CWE-287"]
Alternative ID: GHSA-qc72-gfvw-76h7
Finding: F039
Auto approve: 1