Vulnerability Name: | CVE-2017-12160 (CCN-134161) | ||||||||||||
Assigned: | 2017-08-01 | ||||||||||||
Published: | 2017-08-01 | ||||||||||||
Updated: | 2020-08-19 | ||||||||||||
Summary: | It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks. | ||||||||||||
CVSS v3 Severity: | 7.2 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) 6.3 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:R)
2.8 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N/E:U/RL:U/RC:R)
| ||||||||||||
CVSS v2 Severity: | 6.5 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P)
| ||||||||||||
Vulnerability Type: | CWE-287 | ||||||||||||
Vulnerability Consequences: | Gain Access | ||||||||||||
References: | Source: MITRE Type: CNA CVE-2017-12160 Source: CCN Type: Keycloak Web site Keycloak Source: REDHAT Type: Issue Tracking, Third Party Advisory RHSA-2017:2904 Source: REDHAT Type: Issue Tracking, Third Party Advisory RHSA-2017:2905 Source: REDHAT Type: Issue Tracking, Third Party Advisory RHSA-2017:2906 Source: CCN Type: Red Hat Bugzilla Bug 1484154 (CVE-2017-12160) CVE-2017-12160 keycloak: resource privilege extension via access token in oauth Source: CONFIRM Type: Issue Tracking, Third Party Advisory https://bugzilla.redhat.com/show_bug.cgi?id=1484154 Source: XF Type: UNKNOWN keycloak-cve201712160-weak-security(134161) Source: CCN Type: WhiteSource Vulnerability Database CVE-2017-12160 | ||||||||||||
Vulnerable Configuration: | Configuration 1: Configuration CCN 1: Denotes that component is vulnerable | ||||||||||||
BACK |