High severity7.2NVD Advisory· Published Oct 26, 2017· Updated May 13, 2026

CVE-2017-12160

Description

It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.keycloak:keycloak-parentMaven	< 3.3.0.Final	3.3.0.Final

Affected products

Red Hat/Keycloak
cpe:2.3:a:redhat:keycloak:-:*:*:*:*:*:*:*
Red Hat, Inc./keycloakv5
Range: 3.4.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

access.redhat.com/errata/RHSA-2017:2904nvdIssue TrackingThird Party AdvisoryWEB
access.redhat.com/errata/RHSA-2017:2905nvdIssue TrackingThird Party AdvisoryWEB
access.redhat.com/errata/RHSA-2017:2906nvdIssue TrackingThird Party AdvisoryWEB
bugzilla.redhat.com/show_bug.cginvdIssue TrackingThird Party AdvisoryWEB
github.com/advisories/GHSA-qc72-gfvw-76h7ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2017-12160ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.468
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000