#VU70166 Insufficient Session Expiration in Keycloak - CVE-2022-3916
Published: December 13, 2022
Vulnerability identifier: #VU70166
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-3916
CWE-ID: CWE-613
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Keycloak
Keycloak
Software vendor:
Keycloak
Keycloak
Description
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to reuse of session ids across root and user authentication sessions when using a client with the offline_access scope. An attacker with ability to obtain the root session ID can utilize the refresh token and authenticate to the application as another user.
The issue affects shared environments, where the attacker is able to obtain victim's cookies after the victim logs out.
Remediation
Install updates from vendor's website.