CVE-2017-7474

CRITICAL9.8EPSS 1.7%

keycloak-connect and keycloak-js improperly handle invalid tokens

發布日:2017/11/15修改日:2023/11/8

描述

It was found that the Keycloak Node.js adapter 2.5 - 3.0 did not handle invalid tokens correctly. An attacker could use this flaw to bypass authentication and gain access to restricted information, or to possibly conduct further attacks.

受影響套件(2)

npm/keycloak-connect>= 2.5.0, < 3.1.0
npm/keycloak-js>= 2.5.0, < 3.1.0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

參考連結(3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-7474
WEBhttp://rhn.redhat.com/errata/RHSA-2017-1203.html
WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=1445271