7.2

CVE-2017-12160

EPSS 0.46%
Published 26.10.2017 17:29:00
Last modified 20.04.2025 01:37:25
Source secalert@redhat.com
Teams watchlist Login
Open Login

It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks.

Affected products Warnungen 0 Metrics 3 CWE 2 References 7

Data is provided by the National Vulnerability Database (NVD)

Redhat ≫ Keycloak Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.46%	0.631

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.2	1.2	5.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	6.5	8	6.4	AV:N/AC:L/Au:S/C:P/I:P/A:P

CWE-285 Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

https://access.redhat.com/errata/RHSA-2017:2904

Third Party Advisory

Issue Tracking

https://access.redhat.com/errata/RHSA-2017:2905

Third Party Advisory

Issue Tracking

https://access.redhat.com/errata/RHSA-2017:2906

Third Party Advisory

Issue Tracking

https://bugzilla.redhat.com/show_bug.cgi?id=1484154

Third Party Advisory

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2017-12160

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2017-12160

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2017-12160

EUVD