7.2

CVE-2017-12160

EPSS 0.46%
Veröffentlicht 26.10.2017 17:29:00
Zuletzt bearbeitet 20.04.2025 01:37:25
Quelle secalert@redhat.com
Teams Watchlist Login
Unerledigt Login

It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Redhat ≫ Keycloak Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.46%	0.631

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.2	1.2	5.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	6.5	8	6.4	AV:N/AC:L/Au:S/C:P/I:P/A:P

CWE-285 Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

https://access.redhat.com/errata/RHSA-2017:2904

Third Party Advisory

Issue Tracking

https://access.redhat.com/errata/RHSA-2017:2905

Third Party Advisory

Issue Tracking

https://access.redhat.com/errata/RHSA-2017:2906

Third Party Advisory

Issue Tracking

https://bugzilla.redhat.com/show_bug.cgi?id=1484154

Third Party Advisory

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2017-12160

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2017-12160

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2017-12160

EUVD