Lucene search

K
osvGoogleOSV:GHSA-68HW-VFH7-XVG8
HistoryJun 13, 2019 - 8:38 p.m.

Forced Logout in keycloak-connect

2019-06-1320:38:09
Google
osv.dev
12

EPSS

0

Percentile

5.1%

Versions of keycloak-connect prior to 4.4.0 are vulnerable to Forced Logout. The package fails to validate JWT signatures on the /k_logout route, allowing attackers to logout users and craft malicious JWTs with NBF values that prevent user access indefinitely.

Recommendation

Upgrade to version 4.4.0 or later.

EPSS

0

Percentile

5.1%