Description

A privilege escalation flaw was found in the token exchange feature of keycloak. Missing authorization allows a client application holding a valid access token to exchange tokens for any target client by passing the client_id of the target. This could allow a client to gain unauthorized access to additional services.

Remediation

References

https://github.com/keycloak/keycloak/security/advisories/GHSA-75p6-52g3-rqc8

Related Vulnerabilities

CVE-2022-39202 Vulnerability in npm package matrix-appservice-irc

CVE-2020-2183 Vulnerability in maven package org.jenkins-ci.plugins:copyartifact

CVE-2016-10559 Vulnerability in npm package selenium-download

CVE-2022-25851 Vulnerability in npm package jpeg-js

CVE-2016-1000343 Vulnerability in maven package org.bouncycastle:bcprov-jdk15on

Severity

Critical

Classification

CWE-639 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Third Party Advisory