WEB APPLICATION VULNERABILITIES SCA (Software Composition Analysis)

CVE-2017-12160 Vulnerability in maven package org.keycloak:keycloak-services

Description

It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks.

Remediation

References

https://access.redhat.com/errata/RHSA-2017:2904

https://access.redhat.com/errata/RHSA-2017:2905

https://access.redhat.com/errata/RHSA-2017:2906

https://bugzilla.redhat.com/show_bug.cgi?id=1484154

Related Vulnerabilities

CVE-2020-10748 Vulnerability in maven package org.keycloak:keycloak-server-spi-private

CVE-2018-19839 Vulnerability in npm package node-sass

CVE-2022-45397 Vulnerability in maven package org.jenkins-ci.plugins:osf-builder-suite-xml-linter

CVE-2021-21391 Vulnerability in npm package @ckeditor/ckeditor5-list

CVE-2019-10793 Vulnerability in maven package org.webjars.bower:dot-object

Severity

High

Classification

CWE-287 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Tags

Issue Tracking Third Party Advisory