CVE-2017-12159

EPSS 0.59%
Veröffentlicht 26.10.2017 17:29:00
Zuletzt bearbeitet 20.04.2025 01:37:25
Quelle secalert@redhat.com
CVE-Watchlists
Login
Unerledigt
Login

It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 8

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Redhat ≫ Single Sign On Version7.0

Redhat ≫ Enterprise Linux Server Version6.0
Redhat ≫ Enterprise Linux Server Version7.0

Redhat ≫ Single Sign On Version7.1

Redhat ≫ Enterprise Linux Server Version6.0
Redhat ≫ Enterprise Linux Server Version7.0

Keycloak ≫ Keycloak Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.59%	0.682

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:P/I:N/A:N

CWE-613 Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

https://access.redhat.com/errata/RHSA-2017:2904

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:2905

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:2906

Third Party Advisory

http://www.securityfocus.com/bid/101601

Third Party Advisory

VDB Entry

https://bugzilla.redhat.com/show_bug.cgi?id=1484111

Third Party Advisory

VDB Entry

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2017-12159

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2017-12159

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2017-12159

EUVD