An issue was discovered in Keycloak when using a client with the offline_access
scope. Reuse of session ids across root and user authentication sessions and a lack of root session validation enabled attackers to resolve a user session attached to a different previously authenticated user.
This issue most affects users of shared computers. Suppose a user logs out of their account (without clearing their cookies) in a mobile app or similar client that includes the offline_access
scope, and another user authenticates to the application. In that case, it will share the same root session id, and when utilizing the refresh token, they will be issued a token for the original user.
{ "nvd_published_at": "2023-09-20T15:15:11Z", "cwe_ids": [ "CWE-287", "CWE-304", "CWE-488", "CWE-613" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2022-12-13T19:44:33Z" }