CVE-2023-22492

ZITADEL is a combination of Auth0 and Keycloak. RefreshTokens is an OAuth 2.0 feature that allows applications to retrieve new access tokens and refresh the user's session without the need for interacting with a UI. RefreshTokens were not invalidated when a user was locked or deactivated. The...

Code injection

ZITADEL is a combination of Auth0 and Keycloak. RefreshTokens is an OAuth 2.0 feature that allows applications to retrieve new access tokens and refresh the user's session without the need for interacting with a UI. RefreshTokens were not invalidated when a user was locked or deactivated. The...

CVE-2023-22492 RefreshToken invalidation vulnerability

ZITADEL is a combination of Auth0 and Keycloak. RefreshTokens is an OAuth 2.0 feature that allows applications to retrieve new access tokens and refresh the user's session without the need for interacting with a UI. RefreshTokens were not invalidated when a user was locked or deactivated. The...

CVE-2023-22492

CVE-2023-22492 (Zitadel) affects Zitadel, where RefreshTokens could be used to obtain new access tokens while a user was locked or deactivated. The deactivated/locked user’s session could still be renewed via a refresh token grant, and once logged out, a new session could not be created. The issu...

CVE-2023-22492 RefreshToken invalidation vulnerability

ZITADEL is a combination of Auth0 and Keycloak. RefreshTokens is an OAuth 2.0 feature that allows applications to retrieve new access tokens and refresh the user's session without the need for interacting with a UI. RefreshTokens were not invalidated when a user was locked or deactivated. The...

Keycloak vulnerable to session takeover with OIDC offline refreshtokens

An issue was discovered in Keycloak when using a client with the offlineaccess scope. Reuse of session ids across root and user authentication sessions and a lack of root session validation enabled attackers to resolve a user session attached to a different previously authenticated user. This iss...