CVE-2017-7474

CRITICAL9.8EPSS 1.7%

keycloak-connect and keycloak-js improperly handle invalid tokens

Published: 11/15/2017Modified: 11/8/2023

Description

It was found that the Keycloak Node.js adapter 2.5 - 3.0 did not handle invalid tokens correctly. An attacker could use this flaw to bypass authentication and gain access to restricted information, or to possibly conduct further attacks.

Affected packages (2)

npm/keycloak-connect>= 2.5.0, < 3.1.0
npm/keycloak-js>= 2.5.0, < 3.1.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-7474
WEBhttp://rhn.redhat.com/errata/RHSA-2017-1203.html
WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=1445271