Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-7fpj-9hr8-28vh: Keycloak vulnerable to impersonation via logout token exchange

Keycloak was found to not properly enforce token types when validating signatures locally. An authenticated attacker could use this flaw to exchange a logout token for an access token and possibly gain access to data outside of enforced permissions.

ghsa
#git#java#perl#auth#maven
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2023-0657

Keycloak vulnerable to impersonation via logout token exchange

Low severity GitHub Reviewed Published Apr 17, 2024 in keycloak/keycloak • Updated Apr 17, 2024

Package

maven org.keycloak:keycloak-services (Maven)

Affected versions

< 22.0.10

>= 23.0.0, < 24.0.3

Patched versions

22.0.10

24.0.3

Keycloak was found to not properly enforce token types when validating signatures locally. An authenticated attacker could use this flaw to exchange a logout token for an access token and possibly gain access to data outside of enforced permissions.

References

  • GHSA-7fpj-9hr8-28vh

Published to the GitHub Advisory Database

Apr 17, 2024

Last updated

Apr 17, 2024

Related news

Red Hat Security Advisory 2024-1868-03

Red Hat Security Advisory 2024-1868-03 - An update is now available for Red Hat build of Keycloak. Issues addressed include bypass, cross site scripting, and denial of service vulnerabilities.