CVE-2017-7474
keycloak-connect and keycloak-js improperly handle invalid tokens
9.8
CRITICAL
CVSS 3.1
EPSS 1.7%
Description
It was found that the Keycloak Node.js adapter 2.5 - 3.0 did not handle invalid tokens correctly. An attacker could use this flaw to bypass authentication and gain access to restricted information, or to possibly conduct further attacks.
How to fix CVE-2017-7474
To remediate CVE-2017-7474, upgrade the affected package to a fixed version below.
- npm/keycloak-connect—upgrade to 3.1.0 or later
- —upgrade to 3.1.0 or later
Is CVE-2017-7474 being exploited?
Low — EPSS is 1.7%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 2.5.0, < 3.1.0
- >= 2.5.0, < 3.1.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |