Description

It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks.

Remediation

References

https://access.redhat.com/errata/RHSA-2017:2904

https://access.redhat.com/errata/RHSA-2017:2905

https://access.redhat.com/errata/RHSA-2017:2906

https://bugzilla.redhat.com/show_bug.cgi?id=1484154

Related Vulnerabilities

CVE-2023-31544 Vulnerability in maven package org.opencms:opencms-core

CVE-2020-28477 Vulnerability in maven package org.webjars.npm:immer

CVE-2020-8123 Vulnerability in npm package strapi

CVE-2017-6056 Vulnerability in maven package org.apache.tomcat:tomcat-coyote

CVE-2021-3163 Vulnerability in npm package quill

Severity

High

Classification

CWE-287 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Tags

Issue Tracking Third Party Advisory