Keycloak: session takeover with oidc offline refreshtokens
CVE-2022-3916

6.8MEDIUM

Key Information:

Vendor
Red Hat
Status
Red Hat Single Sign-on 7
Red Hat Single Sign-on 7.6.1
Red Hat Single Sign-on 7.6 For Rhel 7
Red Hat Single Sign-on 7.6 For Rhel 8
Vendor
CVE Published:
20 September 2023

Summary

A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user.

References

https://access.redhat.com/errata/RHSA-2022:8961
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2022:8962
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2022:8963
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database

Credit

Red Hat would like to thank Peter Flintholm (Trifork) for reporting this issue.
.