keycloak-connect and keycloak-js improperly handle invalid tokens · CVE-2017-7474 · GitHub Advisory Database · GitHub

keycloak-connect and keycloak-js improperly handle invalid tokens

Critical severity GitHub Reviewed Published Nov 15, 2017 to the GitHub Advisory Database • Updated Sep 8, 2023

Package

keycloak-connect (npm)

Affected versions

>= 2.5.0, < 3.1.0

Patched versions

3.1.0

keycloak-js (npm)

>= 2.5.0, < 3.1.0

3.1.0

Description

It was found that the Keycloak Node.js adapter 2.5 - 3.0 did not handle invalid tokens correctly. An attacker could use this flaw to bypass authentication and gain access to restricted information, or to possibly conduct further attacks.

References

Published to the GitHub Advisory Database Nov 15, 2017

Reviewed Jun 16, 2020

Last updated Sep 8, 2023

Severity

Critical

9.8

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H