CVE-2023-0657 – org.keycloak:keycloak-services

Package

Manager: maven
Name: org.keycloak:keycloak-services
Vulnerable Version: >=0 <22.0.10 || >=23.0.0 <24.0.3

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00063 pctl0.19755

Details

Keycloak vulnerable to impersonation via logout token exchange Keycloak was found to not properly enforce token types when validating signatures locally. An authenticated attacker could use this flaw to exchange a logout token for an access token and possibly gain access to data outside of enforced permissions.

Metadata

Created: 2024-04-17T18:25:59Z
Modified: 2024-11-18T17:28:39Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-7fpj-9hr8-28vh/GHSA-7fpj-9hr8-28vh.json
CWE IDs: ["CWE-273", "CWE-284", "CWE-287", "CWE-290", "CWE-347"]
Alternative ID: GHSA-7fpj-9hr8-28vh
Finding: F039
Auto approve: 1