Keycloak: session takeover with oidc offline refreshtokens
CVE-2022-3916

6.8MEDIUM

Key Information:

Vendor

Red Hat
Status
Red Hat Single Sign-on 7
Red Hat Single Sign-on 7.6.1
Red Hat Single Sign-on 7.6 For Rhel 7
Red Hat Single Sign-on 7.6 For Rhel 8
Vendor
CVE Published:
20 September 2023

What is CVE-2022-3916?

A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Red Hat Single Sign-On 7.6 for RHEL 7 0:18.0.3-1.redhat_00002.1.el7sso

Red Hat Single Sign-On 7.6 for RHEL 7 0:18.0.6-1.redhat_00001.1.el7sso

Red Hat Single Sign-On 7.6 for RHEL 8 0:18.0.3-1.redhat_00002.1.el8sso

References

https://access.redhat.com/errata/RHSA-2022:8961
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2022:8962
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2022:8963
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Red Hat would like to thank Peter Flintholm (Trifork) for reporting this issue.
JSON
.