Lucene search
GitHub Advisory DatabaseGHSA-7FPJ-9HR8-28VHHistoryApr 17, 2024 - 6:25 p.m.
Keycloak vulnerable to impersonation via logout token exchange
2024-04-1718:25:59
CWE-284
CWE-287
CWE-290
CWE-347
GitHub Advisory Database
github.com
8
keycloak
vulnerability
impersonation
logout token
access token
data security
Keycloak was found to not properly enforce token types when validating signatures locally. An authenticated attacker could use this flaw to exchange a logout token for an access token and possibly gain access to data outside of enforced permissions.
Affected configurations
Node
org.keycloak\keycloakMatchservices
ORorg.keycloak\keycloakMatchservices
ORorg.keycloak\keycloakMatchservices
| CPE | Name | Operator | Version |
|---|---|---|---|
| org.keycloak:keycloak-services | ge | 23.0.0 | |
| org.keycloak:keycloak-services | lt | 24.0.3 | |
| org.keycloak:keycloak-services | lt | 22.0.10 |
Related
veracode
veracode
Improper Authentication
2024-04-18 06:19:23
cgr
cgr
CVE-2023-0657 vulnerabilities
2024-05-19 03:07:16
wolfi
wolfi
CVE-2023-0657 vulnerabilities
2024-06-17 09:08:17
redhatcve
redhatcve
CVE-2023-0657
2024-04-17 13:00:29
osv
osv
Keycloak vulnerable to impersonation via logout token exchange
2024-04-17 18:25:59
redhat
redhat