3.4

CVE-2023-0657

Keycloak: impersonation via logout token exchange

Impersonation via logout token exchange

A flaw was found in Keycloak. This issue occurs due to improperly enforcing token types when validating signatures locally. This could allow an authenticated attacker to exchange a logout token for an access token and possibly gain access to data outside of enforced permissions.
Mögliche Gegenmaßnahme
Keycloak Server: Install latest version
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Collection URLhttps://github.com/keycloak/keycloak
Paket keycloak
Default Statusunaffected
Version 0
Version < 22.0.10
Status affected
Version 23.0.0
Version < 24.0.3
Status affected
HerstellerRed Hat
Produkt Red Hat build of Keycloak 22
Default Statusaffected
Version 22.0.10-1
Version < *
Status unaffected
HerstellerRed Hat
Produkt Red Hat build of Keycloak 22
Default Statusaffected
Version 22-13
Version < *
Status unaffected
HerstellerRed Hat
Produkt Red Hat build of Keycloak 22
Default Statusaffected
Version 22-16
Version < *
Status unaffected
HerstellerRed Hat
Produkt Red Hat build of Keycloak 22.0.10
Default Statusunaffected
HerstellerRed Hat
Produkt Red Hat Single Sign-On 7
Default Statusaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Weitere Schwachstelleninformationen
SystemKeycloak
Produkt Keycloak Server
Version >= 0.0.0, < 22.0.10
Version >= 24.0.0, < 24.0.3
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.05% 0.17
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
secalert@redhat.com 3.4 0.9 2.5
CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
CWE-273 Improper Check for Dropped Privileges

The product attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded.