GitHub Advisory DatabaseGHSA-237Q-6HJP-PCHQJBoss KeyCloak is vulnerable to soft token deletion via CSRF
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
0.001 Low
EPSS
Percentile
35.7%
JBoss KeyCloak is vulnerable to soft token deletion via CSRF. This issue is fixed in Keycloak 1.0.2.Final.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| org.keycloak:keycloak-services | lt | 1.0.2.Final |
References
access.redhat.com/security/cve/cve-2014-3655
bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3655
github.com/advisories/GHSA-237q-6hjp-pchq
github.com/keycloak/keycloak/commit/0b8b31a3ea7d8d7ac8b14a020613fc32aa5e9d9d
github.com/keycloak/keycloak/pull/703
github.com/victims/victims-cve-db/blob/master/database/java/2014/3655.yaml
nvd.nist.gov/vuln/detail/CVE-2014-3655
snyk.io/vuln/SNYK-JAVA-ORGKEYCLOAK-30138
Related
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
0.001 Low
EPSS
Percentile
35.7%