Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03ZnBqLTlocjgtMjh2aM4AA7JC
Keycloak vulnerable to impersonation via logout token exchange
Keycloak was found to not properly enforce token types when validating signatures locally. An authenticated attacker could use this flaw to exchange a logout token for an access token and possibly gain access to data outside of enforced permissions.
Permalink: https://github.com/advisories/GHSA-7fpj-9hr8-28vhJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03ZnBqLTlocjgtMjh2aM4AA7JC
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 16 days ago
Updated: 16 days ago
Identifiers: GHSA-7fpj-9hr8-28vh, CVE-2023-0657
References:
- https://github.com/keycloak/keycloak/security/advisories/GHSA-7fpj-9hr8-28vh
- https://github.com/advisories/GHSA-7fpj-9hr8-28vh
Blast Radius: 0.0
Affected Packages
maven:org.keycloak:keycloak-services
Dependent packages: 90Dependent repositories: 561
Downloads:
Affected Version Ranges: >= 23.0.0, < 24.0.3, < 22.0.10
Fixed in: 24.0.3, 22.0.10
All affected versions: 5.0.0, 6.0.0, 6.0.1, 7.0.0, 7.0.1, 8.0.0, 8.0.1, 8.0.2, 9.0.0, 9.0.2, 9.0.3, 10.0.0, 10.0.1, 10.0.2, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 13.0.0, 13.0.1, 14.0.0, 15.0.0, 15.0.1, 15.0.2, 15.1.0, 15.1.1, 16.0.0, 16.1.0, 16.1.1, 17.0.0, 17.0.1, 18.0.0, 18.0.1, 18.0.2, 19.0.0, 19.0.1, 19.0.2, 19.0.3, 20.0.0, 20.0.1, 20.0.2, 20.0.3, 20.0.4, 20.0.5, 21.0.0, 21.0.1, 21.0.2, 21.1.0, 21.1.1, 21.1.2, 22.0.0, 22.0.1, 22.0.2, 22.0.3, 22.0.4, 22.0.5, 23.0.0, 23.0.1, 23.0.2, 23.0.3, 23.0.4, 23.0.5, 23.0.6, 23.0.7, 24.0.0, 24.0.1, 24.0.2
All unaffected versions: 24.0.3