GHSA-mw35-24gh-f82w

Source

https://github.com/advisories/GHSA-mw35-24gh-f82w

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/11/GHSA-mw35-24gh-f82w/GHSA-mw35-24gh-f82w.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-mw35-24gh-f82w

Aliases

CVE-2017-7474

Published

2017-11-15T20:41:51Z

Modified

2023-11-08T03:59:24.497819Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

keycloak-connect and keycloak-js improperly handle invalid tokens

Details

It was found that the Keycloak Node.js adapter 2.5 - 3.0 did not handle invalid tokens correctly. An attacker could use this flaw to bypass authentication and gain access to restricted information, or to possibly conduct further attacks.

Database specific

{
    "cwe_ids": [
        "CWE-253"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:47:26Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
}

References

Affected packages

npm / keycloak-connect

Package

Name: keycloak-connect; View open source insights on deps.dev
Purl: pkg:npm/keycloak-connect

Affected ranges

Type: SEMVER
Events: Introduced

2.5.0

Fixed

3.1.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/11/GHSA-mw35-24gh-f82w/GHSA-mw35-24gh-f82w.json"

npm / keycloak-js

Package

Name: keycloak-js; View open source insights on deps.dev
Purl: pkg:npm/keycloak-js

Affected ranges

Type: SEMVER
Events: Introduced

2.5.0

Fixed

3.1.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/11/GHSA-mw35-24gh-f82w/GHSA-mw35-24gh-f82w.json"