WEB APPLICATION VULNERABILITIES SCA (Software Composition Analysis)

CVE-2017-12160 Vulnerability in maven package org.keycloak:keycloak-services

Description

It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks.

Remediation

References

https://access.redhat.com/errata/RHSA-2017:2904

https://access.redhat.com/errata/RHSA-2017:2905

https://access.redhat.com/errata/RHSA-2017:2906

https://bugzilla.redhat.com/show_bug.cgi?id=1484154

Related Vulnerabilities

CVE-2021-26544 Vulnerability in maven package org.apache.livy:livy-server

CVE-2023-6393 Vulnerability in maven package io.quarkus:quarkus-cache

CVE-2022-21803 Vulnerability in maven package org.webjars.npm:nconf

CVE-2023-49653 Vulnerability in maven package org.jenkins-ci.plugins:jira

CVE-2020-7733 Vulnerability in maven package org.webjars.bowergithub.faisalman:ua-parser-js

Severity

High

Classification

CWE-287 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Tags

Issue Tracking Third Party Advisory