Timing attack in Keycloak - CVE-2017-2585
Published: March 16, 2018
Vulnerability identifier: #VU11132
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-2585
CWE-ID: CWE-208
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Keycloak
Affected software:
Keycloak
Keycloak
Detailed vulnerability description
The vulnerability allows a remote unauthenticated attacker to conduct timing attacks and obtain potentially sensitive information on the target system.
The weakness exists due to the nonconstant time method when used for Hashed Message Authentication Code (HMAC) verification for JSON Web Signature (JWS) tokens. A remote attacker can perform a timing attack and gain access to potentially sensitive information.
The weakness exists due to the nonconstant time method when used for Hashed Message Authentication Code (HMAC) verification for JSON Web Signature (JWS) tokens. A remote attacker can perform a timing attack and gain access to potentially sensitive information.
How to mitigate CVE-2017-2585
Update to version 2.5.1 or later.