CVE-2017-12160 — Keycloak Oauth Implementation Error

Description

It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks.

How to fix CVE-2017-12160

To remediate CVE-2017-12160, upgrade the affected package to a fixed version below.

—upgrade to 3.3.0.Final or later

Is CVE-2017-12160 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 3.3.0.Final

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-12160
PATCHgithub.com/keycloak/keycloak
WEBaccess.redhat.com/errata/RHSA-2017:2904
WEBaccess.redhat.com/errata/RHSA-2017:2905
WEBaccess.redhat.com