Vulnerability Description
It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Keycloak | - |
Related Weaknesses (CWE)
References
- https://access.redhat.com/errata/RHSA-2017:2904Issue TrackingThird Party Advisory
- https://access.redhat.com/errata/RHSA-2017:2905Issue TrackingThird Party Advisory
- https://access.redhat.com/errata/RHSA-2017:2906Issue TrackingThird Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1484154Issue TrackingThird Party Advisory
- https://access.redhat.com/errata/RHSA-2017:2904Issue TrackingThird Party Advisory
- https://access.redhat.com/errata/RHSA-2017:2905Issue TrackingThird Party Advisory
- https://access.redhat.com/errata/RHSA-2017:2906Issue TrackingThird Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1484154Issue TrackingThird Party Advisory
FAQ
What is CVE-2017-12160?
CVE-2017-12160 is a vulnerability with a CVSS score of 7.2 (HIGH). It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission rev...
How severe is CVE-2017-12160?
CVE-2017-12160 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-12160?
Check the references section above for vendor advisories and patch information. Affected products include: Redhat Keycloak.