Main Vulnerability Database Vulnerabilities #VU88796

#VU88796 Insufficient Session Expiration in Keycloak - CVE-2023-0657

Published: April 17, 2024

Vulnerability identifier: #VU88796

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2023-0657

CWE-ID: CWE-613

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Keycloak

Software vendor:
Keycloak

Description

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to software does not properly enforce token types when validating signatures locally. An authenticated user can use this flaw to exchange a logout token for an access token and possibly gain access to data outside of enforced permissions.

Remediation

Install updates from vendor's website.

External links

https://github.com/keycloak/keycloak/security/advisories/GHSA-7fpj-9hr8-28vh
https://access.redhat.com/errata/RHSA-2024:1867
https://access.redhat.com/errata/RHSA-2024:1868

#VU88796 Insufficient Session Expiration in Keycloak - CVE-2023-0657

Description

Remediation

External links

Please verify you're human