CVE-2023-0657

LOW 3.4

Keycloak: impersonation via logout token exchange

CVSS Score

3.4

EPSS Score

0.0%

EPSS Percentile

0th

A flaw was found in Keycloak. This issue occurs due to improperly enforcing token types when validating signatures locally. This could allow an authenticated attacker to exchange a logout token for an access token and possibly gain access to data outside of enforced permissions.

CWE	CWE-273
Published	Nov 17, 2024
Last Updated	Nov 17, 2024

Stay Ahead of the Next One

Get instant alerts for

Be the first to know when new low vulnerabilities are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

Attack Vector

Adjacent

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

Red Hat / Red Hat build of Keycloak 22

All versions affected

Red Hat / Red Hat build of Keycloak 22

All versions affected

Red Hat / Red Hat build of Keycloak 22

All versions affected

Red Hat / Red Hat build of Keycloak 22.0.10

All versions affected

Red Hat / Red Hat Single Sign-On 7

All versions affected

References

NVD ↗ CVE.org ↗ EPSS Data ↗

access.redhat.com: https://access.redhat.com/errata/RHSA-2024:1867 access.redhat.com: https://access.redhat.com/errata/RHSA-2024:1868 access.redhat.com: https://access.redhat.com/security/cve/CVE-2023-0657 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2166728