Keycloak was found to not properly enforce token types when validating signatures locally. An authenticated attacker could use this flaw to exchange a logout token for an access token and possibly gain access to data outside of enforced permissions.
CPE | Name | Operator | Version |
---|---|---|---|
org.keycloak:keycloak-services | ge | 23.0.0 | |
org.keycloak:keycloak-services | lt | 24.0.3 | |
org.keycloak:keycloak-services | lt | 22.0.10 |