Improper Authentication in Keycloak - CVE-2017-12160
Published: October 26, 2017 / Updated: August 8, 2020
Vulnerability identifier: #VU38017
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2017-12160
CWE-ID: CWE-287
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Keycloak
Affected software:
Keycloak
Keycloak
Detailed vulnerability description
The vulnerability allows a remote privileged user to execute arbitrary code.
It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks.
How to mitigate CVE-2017-12160
Install update from vendor's website.