logo

Database

Sensitive information sent insecurely In org.keycloak:keycloak-core

Description

keycloak-core vulnerable to timing attacks against JWS token verification Red Hat Keycloak before version 2.5.1 has an implementation of HMAC verification for JWS tokens that uses a method that runs in non-constant time, potentially leaving the application vulnerable to timing attacks.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2017-25852. NVD-2017-25853. OSV-2017-25854. GHSA-w6gv-3r3v-gwgj5. GCVE-2017-25856. access.redhat.com7. access.redhat.com

References

1. https://bugzilla.redhat.com/show_bug.cgi?id=14123762. https://web.archive.org/web/20170420113802/http://www.securitytracker.com/id/10381803. https://web.archive.org/web/20200227175650/http://www.securityfocus.com/bid/973934. http://rhn.redhat.com/errata/RHSA-2017-0876.html5. http://www.securityfocus.com/bid/973936. http://www.securitytracker.com/id/1038180

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.