Main Vulnerability Database Vulnerabilities #VU88796

Insufficient Session Expiration in Keycloak - CVE-2023-0657

Published: April 17, 2024

Vulnerability identifier: #VU88796

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2023-0657

CWE-ID: CWE-613

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Keycloak

Affected software:
Keycloak

Detailed vulnerability description

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to software does not properly enforce token types when validating signatures locally. An authenticated user can use this flaw to exchange a logout token for an access token and possibly gain access to data outside of enforced permissions.

How to mitigate CVE-2023-0657

Install updates from vendor's website.

Sources

https://github.com/keycloak/keycloak/security/advisories/GHSA-7fpj-9hr8-28vh
https://access.redhat.com/errata/RHSA-2024:1867
https://access.redhat.com/errata/RHSA-2024:1868

Insufficient Session Expiration in Keycloak - CVE-2023-0657

Detailed vulnerability description

How to mitigate CVE-2023-0657

Sources

Please verify you're human