CVE-2017-12159 - It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An

CVE-2017-12159

Summary

It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks.

References

Vulnerable Configurations

cpe:2.3:a:redhat:single_sign_on:7.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:single_sign_on:7.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:single_sign_on:7.1:*:*:*:*:*:*:*
cpe:2.3:a:redhat:single_sign_on:7.1:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
cpe:2.3:a:keycloak:keycloak:-:*:*:*:*:*:*:*
cpe:2.3:a:keycloak:keycloak:-:*:*:*:*:*:*:*

CVSS

Base:	5.0 (as of 09-10-2019 - 23:22)
Impact:
Exploitability:

CWE

CWE-613

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	NONE	NONE

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:N/A:N

redhat via4

advisories

rhsa
id RHSA-2017:2904
rhsa
id RHSA-2017:2905
rhsa
id RHSA-2017:2906

rpms

rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6
rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6
rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7
rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7

refmap via4

bid	101601
confirm	https://bugzilla.redhat.com/show_bug.cgi?id=1484111

Last major update

09-10-2019 - 23:22

Published

26-10-2017 - 17:29

Last modified

09-10-2019 - 23:22