CRITICAL🇬🇧 English

CVE-2017-7474

CVSS 9.8v3.0pub. 2017-05-12upd. 2026-05-13

It was found that the Keycloak Node.js adapter 2.5 - 3.0 did not handle invalid tokens correctly. An attacker could use this flaw to bypass authentication and gain access to restricted information, or to possibly conduct further attacks.

oryginał EN
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Keycloak Node.js Auth Utils

    APP
    Keycloak
    2.5.02.5.12.5.22.5.32.5.42.5.52.5.62.5.73.0.0
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
Auth Bypass
CWE
Referencje

Powiązane podatności

CVE-2017-12161HIGH8.8ten sam vendor

It was found that keycloak before 3.4.2 final would permit misuse of a client-side /etc/hosts entry to spoof a...

CVE-2014-3651HIGH7.5ten sam vendor

JBoss KeyCloak before 1.0.3.Final allows remote attackers to cause a denial of service (resource consumption) ...

CVE-2017-12159HIGH7.5ten sam vendor

It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker ...

CVE-2014-3709HIGH8.8ten sam vendor

The org.keycloak.services.resources.SocialResource.callback method in JBoss KeyCloak before 1.0.3.Final allows...

CVE-2017-12158MEDIUM5.4ten sam vendor

It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web res...