Medium severity5.9NVD Advisory· Published Mar 12, 2018· Updated Jun 17, 2026
CVE-2017-2585
CVE-2017-2585
Description
Red Hat Keycloak before version 2.5.1 has an implementation of HMAC verification for JWS tokens that uses a method that runs in non-constant time, potentially leaving the application vulnerable to timing attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.keycloak:keycloak-coreMaven | < 2.5.1 | 2.5.1 |
Affected products
2- Red Hat, Inc./keycloakv5Range: 2.5.1
Patches
Vulnerability mechanics
References
10- rhn.redhat.com/errata/RHSA-2017-0876.htmlnvdVendor AdvisoryWEB
- www.securityfocus.com/bid/97393nvdThird Party AdvisoryVDB Entry
- www.securitytracker.com/id/1038180nvdThird Party AdvisoryVDB Entry
- access.redhat.com/errata/RHSA-2017:0872nvdVendor AdvisoryWEB
- access.redhat.com/errata/RHSA-2017:0873nvdVendor AdvisoryWEB
- github.com/advisories/GHSA-w6gv-3r3v-gwgjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-2585ghsaADVISORY
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingWEB
- web.archive.org/web/20170420113802/http://www.securitytracker.com/id/1038180ghsaWEB
- web.archive.org/web/20200227175650/http://www.securityfocus.com/bid/97393ghsaWEB
News mentions
0No linked articles in our index yet.