Insufficient Session Expiration in Keycloak - CVE-2022-3916

 

Insufficient Session Expiration in Keycloak - CVE-2022-3916

Published: December 13, 2022


Vulnerability identifier: #VU70166
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-3916
CWE-ID: CWE-613
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Keycloak
Affected software:
Keycloak

Detailed vulnerability description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to reuse of session ids across root and user authentication sessions when using a client with the offline_access scope. An attacker with ability to obtain the root session ID can utilize the refresh token and authenticate to the application as another user.

The issue affects shared environments, where the attacker is able to obtain victim's cookies after the victim logs out.


How to mitigate CVE-2022-3916

Install updates from vendor's website.

Sources