Skip to content

Keycloak vulnerable to impersonation via logout token exchange

Low severity GitHub Reviewed Published Apr 17, 2024 in keycloak/keycloak • Updated Apr 17, 2024

Package

maven org.keycloak:keycloak-services (Maven)

Affected versions

< 22.0.10
>= 23.0.0, < 24.0.3

Patched versions

22.0.10
24.0.3

Description

Keycloak was found to not properly enforce token types when validating signatures locally. An authenticated attacker could use this flaw to exchange a logout token for an access token and possibly gain access to data outside of enforced permissions.

References

@abstractj abstractj published to keycloak/keycloak Apr 17, 2024
Published to the GitHub Advisory Database Apr 17, 2024
Reviewed Apr 17, 2024
Last updated Apr 17, 2024

Severity

Low

CVE ID

CVE-2023-0657

GHSA ID

GHSA-7fpj-9hr8-28vh

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.