Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2017-12160

It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks.

Published

2017-10-26T17:29:00.297

Last Modified

2025-04-20T01:37:25.860

Status

Deferred

Source

[email protected]

Severity

CVSSv3.1: 7.2 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

8.0

Impact Score

6.4

Weaknesses

Type: Secondary
CWE-285
Type: Primary
CWE-287

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	redhat	keycloak	-	Yes

References

https://access.redhat.com/errata/RHSA-2017:2904 Issue Tracking, Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2017:2905 Issue Tracking, Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2017:2906 Issue Tracking, Third Party Advisory ([email protected])
https://bugzilla.redhat.com/show_bug.cgi?id=1484154 Issue Tracking, Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2017:2904 Issue Tracking, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2017:2905 Issue Tracking, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2017:2906 Issue Tracking, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://bugzilla.redhat.com/show_bug.cgi?id=1484154 Issue Tracking, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)