Moderate severityNVD Advisory· Published Sep 20, 2023· Updated Aug 3, 2024
Keycloak: session takeover with oidc offline refreshtokens
CVE-2022-3916
Description
A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.keycloak:keycloak-parentMaven | < 20.0.2 | 20.0.2 |
Affected products
7cpe:/a:redhat:red_hat_single_sign_on:7.6+ 4 more
- cpe:/a:redhat:red_hat_single_sign_on:7.6
- cpe:/a:redhat:red_hat_single_sign_on:7.6.1
- cpe:/a:redhat:red_hat_single_sign_on:7.6::el7range: 0:18.0.6-1.redhat_00001.1.el7sso
- cpe:/a:redhat:red_hat_single_sign_on:7.6::el8range: 0:18.0.6-1.redhat_00001.1.el8sso
- cpe:/a:redhat:red_hat_single_sign_on:7.6::el9range: 0:18.0.6-1.redhat_00001.1.el9sso
- Red Hat/RHEL-8 based Middleware Containersv5cpe:/a:redhat:rhosemc:1.0::el8Range: 7.6-20
Patches
Vulnerability mechanics
References
15- access.redhat.com/errata/RHSA-2022:8961ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2022:8962ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2022:8963ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2022:8964ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2022:8965ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2023:1043ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2023:1044ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2023:1045ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2023:1047ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2023:1049ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-97g8-xfvw-q4hgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-3916ghsaADVISORY
- access.redhat.com/security/cve/CVE-2022-3916ghsavdb-entryx_refsource_REDHATWEB
- bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
- github.com/keycloak/keycloak/security/advisories/GHSA-97g8-xfvw-q4hgghsaWEB
News mentions
0No linked articles in our index yet.