CVE-2022-3916 — MEDIUM (6.8)

Q: How severe is CVE-2022-3916?

CVE-2022-3916 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-3916?

Check the references section above for vendor advisories and patch information. Affected products include: Redhat Keycloak, Redhat Single Sign-On, Redhat Enterprise Linux, Redhat Openshift Container Platform, Redhat Openshift Container Platform For Linuxone.

Vulnerability Description

A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user.

CVSS Score

6.8

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Redhat	Keycloak	< 20.0.2
Redhat	Single Sign-On	-
Redhat	Enterprise Linux	7.0
Redhat	Openshift Container Platform	4.9
Redhat	Openshift Container Platform For Linuxone	4.9
Redhat	Openshift Container Platform For Power	4.9
Redhat	Openshift Container Platform Ibm Z Systems	4.9

Related Weaknesses (CWE)

CWE-384 CWE-613

References

https://access.redhat.com/errata/RHSA-2022:8961Vendor Advisory
https://access.redhat.com/errata/RHSA-2022:8962Vendor Advisory
https://access.redhat.com/errata/RHSA-2022:8963Vendor Advisory
https://access.redhat.com/errata/RHSA-2022:8964Vendor Advisory
https://access.redhat.com/errata/RHSA-2022:8965Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:1043Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:1044Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:1045Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:1047Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:1049Vendor Advisory
https://access.redhat.com/security/cve/CVE-2022-3916Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2141404Issue TrackingVendor Advisory
https://access.redhat.com/errata/RHSA-2022:8961Vendor Advisory
https://access.redhat.com/errata/RHSA-2022:8962Vendor Advisory
https://access.redhat.com/errata/RHSA-2022:8963Vendor Advisory

FAQ

What is CVE-2022-3916?

CVE-2022-3916 is a vulnerability with a CVSS score of 6.8 (MEDIUM). A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and ...

How severe is CVE-2022-3916?

CVE-2022-3916 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-3916?

Check the references section above for vendor advisories and patch information. Affected products include: Redhat Keycloak, Redhat Single Sign-On, Redhat Enterprise Linux, Redhat Openshift Container Platform, Redhat Openshift Container Platform For Linuxone.