Main Vulnerability Database Vulnerabilities #VU53530

#VU53530 Insufficient Session Expiration in Keycloak - CVE-2021-3461

Published: May 25, 2021 / Updated: May 25, 2021

Vulnerability identifier: #VU53530

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2021-3461

CWE-ID: CWE-613

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
Keycloak

Software vendor:
Keycloak

Description

The vulnerability allows an attacker to gain access to sensitive information.

The vulnerability exists due to the way Keycloak handles backchannel logout requests. If the logout request comes from an external SAML identity provider and Principal Type is set to Attribute [Name], the application ignores such request.

Remediation

Install update from vendor's website.

External links

https://access.redhat.com/errata/RHSA-2021:2063
https://bugzilla.redhat.com/show_bug.cgi?id=1941565