Vulnerability Description
It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Single Sign On | 7.0 |
| Redhat | Enterprise Linux Server | 6.0 |
| Keycloak | Keycloak | - |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/101601Third Party AdvisoryVDB Entry
- https://access.redhat.com/errata/RHSA-2017:2904Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:2905Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:2906Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1484111Issue TrackingThird Party AdvisoryVDB Entry
- http://www.securityfocus.com/bid/101601Third Party AdvisoryVDB Entry
- https://access.redhat.com/errata/RHSA-2017:2904Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:2905Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:2906Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1484111Issue TrackingThird Party AdvisoryVDB Entry
FAQ
What is CVE-2017-12159?
CVE-2017-12159 is a vulnerability with a CVSS score of 7.5 (HIGH). It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible i...
How severe is CVE-2017-12159?
CVE-2017-12159 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-12159?
Check the references section above for vendor advisories and patch information. Affected products include: Redhat Single Sign On, Redhat Enterprise Linux Server, Keycloak Keycloak.