Insufficient Session Expiration in Keycloak - CVE-2021-3461

 

Insufficient Session Expiration in Keycloak - CVE-2021-3461

Published: May 25, 2021 / Updated: May 25, 2021


Vulnerability identifier: #VU53530
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2021-3461
CWE-ID: CWE-613
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: Keycloak
Affected software:
Keycloak

Detailed vulnerability description

The vulnerability allows an attacker to gain access to sensitive information.

The vulnerability exists due to the way Keycloak handles backchannel logout requests. If the logout request comes from an external SAML identity provider and Principal Type is set to Attribute [Name], the application ignores such request.


How to mitigate CVE-2021-3461

Install update from vendor's website.

Sources