Information disclosure in Red Hat Keycloak



Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2017-2585
CWE-ID CWE-208
Exploitation vector Network
Public exploit N/A
Vulnerable software
 Keycloak
Server applications / Directory software, identity management

Vendor Keycloak

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Timing attack

EUVDB-ID: #VU11132

Risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-2585

CWE-ID: CWE-208 - Information Exposure Through Timing Discrepancy

Exploit availability: No

Description

The vulnerability allows a remote unauthenticated attacker to conduct timing attacks and obtain potentially sensitive information on the target system.

The weakness exists due to the nonconstant time method when used for Hashed Message Authentication Code (HMAC) verification for JSON Web Signature (JWS) tokens. A remote attacker can perform a timing attack and gain access to potentially sensitive information.

Mitigation

Update to version 2.5.1 or later.

Vulnerable software versions

Keycloak: 0.6.0 - 2.5.1

CPE2.3 External links

https://github.com/keycloak/keycloak/releases


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###