GHSA-7fpj-9hr8-28vh

Source

https://github.com/advisories/GHSA-7fpj-9hr8-28vh

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-7fpj-9hr8-28vh/GHSA-7fpj-9hr8-28vh.json

Aliases

CVE-2023-0657

Published

2024-04-17T18:25:59Z

Modified

2024-04-17T18:41:53.083769Z

Summary

Keycloak vulnerable to impersonation via logout token exchange

Details

Keycloak was found to not properly enforce token types when validating signatures locally. An authenticated attacker could use this flaw to exchange a logout token for an access token and possibly gain access to data outside of enforced permissions.

References

Affected packages

Maven / org.keycloak:keycloak-services

Package

Name: org.keycloak:keycloak-services

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

22.0.10

Affected versions

1.*

1.0-alpha-1

1.0-alpha-1-12062013

1.0-alpha-2

1.0-alpha-3

1.0-alpha-4

1.0-beta-1

1.0-beta-1-20150521

1.0-beta-1-20150523

1.0-beta-2

1.0-beta-3

1.0-beta-4

1.0-rc-1

1.0-rc-2

1.0-final

1.0.1.Final

1.0.2.Final

1.0.3.Final

1.0.4.Final

1.0.5.Final

1.1.0.Beta1

1.1.0.Beta2

1.1.0.Final

1.1.1.Final

1.2.0.Beta1

1.2.0.CR1

1.2.0.Final

1.3.0.Final

1.3.1.Final

1.4.0.Final

1.5.0-Final

1.5.0.Final

1.5.1.Final

1.6.0.Final

1.6.1.Final

1.7.0.CR1

1.7.0.Final

1.8.0.Alpha1

1.8.0.CR1

1.8.0.CR2

1.8.0.CR3

1.8.0.Final

1.8.1.Final

1.9.0.CR1

1.9.0.Final

1.9.1.Final

1.9.2.Final

1.9.3.Final

1.9.4.Final

1.9.5.Final

1.9.7.Final

1.9.8.Final

2.*

2.0.0.CR1

2.0.0.Final

2.1.0.CR1

2.1.0.Final

2.2.0.CR1

2.2.0.Final

2.2.1.Final

2.3.0.CR1

2.3.0.Final

2.4.0.CR1

2.4.0.Final

2.5.0.CR1

2.5.0.Final

2.5.1.Final

2.5.4.Final

2.5.5.Final

3.*

3.0.0.CR1

3.0.0.Final

3.1.0.CR1

3.1.0.Final

3.2.0.CR1

3.2.0.Final

3.2.1.Final

3.3.0.CR1

3.3.0.CR2

3.3.0.Final

3.4.0.CR1

3.4.0.Final

3.4.1.CR1

3.4.1.Final

3.4.2.Final

3.4.3.Final

4.*

4.0.0.Beta1

4.0.0.Beta2

4.0.0.Beta3

4.0.0.Final

4.1.0.Final

4.2.0.Final

4.2.1.Final

4.3.0.Final

4.4.0.Final

4.5.0.Final

4.6.0.Final

4.7.0.Final

4.8.0.Final

4.8.1.Final

4.8.2.Final

4.8.3.Final

5.*

5.0.0

6.*

6.0.0

6.0.1

7.*

7.0.0

7.0.1

8.*

8.0.0

8.0.1

8.0.2

9.*

9.0.0

9.0.2

9.0.3

10.*

10.0.0

10.0.1

10.0.2

11.*

11.0.0

11.0.1

11.0.2

11.0.3

12.*

12.0.0

12.0.1

12.0.2

12.0.3

12.0.4

13.*

13.0.0

13.0.1

14.*

14.0.0

15.*

15.0.0

15.0.1

15.0.2

15.1.0

15.1.1

16.*

16.0.0

16.1.0

16.1.1

17.*

17.0.0

17.0.1

18.*

18.0.0

18.0.1

18.0.2

19.*

19.0.0

19.0.1

19.0.2

19.0.3

20.*

20.0.0

20.0.1

20.0.2

20.0.3

20.0.4

20.0.5

21.*

21.0.0

21.0.1

21.0.2

21.1.0

21.1.1

21.1.2

22.*

22.0.0

22.0.1

22.0.2

22.0.3

22.0.4

22.0.5

Maven / org.keycloak:keycloak-services

Package

Name: org.keycloak:keycloak-services

Affected ranges

Type: ECOSYSTEM
Events: Introduced

23.0.0

Fixed

24.0.3

Affected versions

23.*

23.0.0

23.0.1

23.0.2

23.0.3

23.0.4

23.0.5

23.0.6

23.0.7

24.*

24.0.0

24.0.1

24.0.2