CVE-2017-12159
Keycloak CSRF Vulnerability
7.5
HIGH
CVSS 3.1
EPSS 0.59%
Description
It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks.
How to fix CVE-2017-12159
To remediate CVE-2017-12159, upgrade the affected package to a fixed version below.
- Maven/org.keycloak:keycloak-parent—upgrade to 3.4.0 or later
Is CVE-2017-12159 being exploited?
Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 3.4.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |