logo

Database

Improper authorization control for web services In org.keycloak:keycloak-services

Description

Keycloak vulnerable to impersonation via logout token exchange Keycloak was found to not properly enforce token types when validating signatures locally. An authenticated attacker could use this flaw to exchange a logout token for an access token and possibly gain access to data outside of enforced permissions.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2023-06572. NVD-2023-06573. OSV-2023-06574. GHSA-7fpj-9hr8-28vh5. GCVE-2023-06576. access.redhat.com7. access.redhat.com8. ACCESS-CVE-2023-0657

References

1. https://github.com/keycloak/keycloak/security/advisories/GHSA-7fpj-9hr8-28vh2. https://bugzilla.redhat.com/show_bug.cgi?id=2166728

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.