Lucene search

GitHub Advisory DatabaseGHSA-68HW-VFH7-XVG8

HistoryJun 13, 2019 - 8:38 p.m.

Forced Logout in keycloak-connect

2019-06-1320:38:09

CWE-287

CWE-345

GitHub Advisory Database

github.com

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

2.1 Low

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:N/I:N/A:P

0.0004 Low

EPSS

Percentile

5.2%

JSON

Versions of keycloak-connect prior to 4.4.0 are vulnerable to Forced Logout. The package fails to validate JWT signatures on the /k_logout route, allowing attackers to logout users and craft malicious JWTs with NBF values that prevent user access indefinitely.

Recommendation

Upgrade to version 4.4.0 or later.

CPENameOperatorVersion
keycloak-connectlt4.8.3

CPE	Name	Operator	Version
	keycloak-connect	lt	4.8.3

References

www.securityfocus.com/bid/108734

bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10157

github.com/advisories/GHSA-68hw-vfh7-xvg8

github.com/keycloak/keycloak-nodejs-connect/commit/55e54b55d05ba636bc125a8f3d39f0052d13f8f6

nvd.nist.gov/vuln/detail/CVE-2019-10157

snyk.io/vuln/SNYK-JS-KEYCLOAKNODEJSCONNECT-449920

www.npmjs.com/advisories/978

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

2.1 Low

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:N/I:N/A:P

0.0004 Low

EPSS

Percentile

5.2%

JSON

Related for GHSA-68HW-VFH7-XVG8