CVE-2017-12159

CWE-613Insufficient Session Expiration6 documents6 sources
Severity
7.5HIGH
EPSS
0.6%
top 30.88%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
RED Hat, Inc. KeycloakRedhat Single Sign ON
Timeline
PublishedOct 26
Latest updateMay 13

Description

It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

CVEListV5red_hat,_inc./keycloak3.4.0
NVDredhat/single_sign_on7.0, 7.1+1

🔴Vulnerability Details

3
OSV
Keycloak CSRF Vulnerability2022-05-13
GHSA
Keycloak CSRF Vulnerability2022-05-13
CVEList
CVE-2017-12159: It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session2017-10-26

📋Vendor Advisories

1
Red Hat
keycloak: CSRF token fixation2017-10-17

💬Community

1
Bugzilla
CVE-2017-12159 keycloak: CSRF token fixation2017-08-22
CVE-2017-12159 (HIGH CVSS 7.5) | It was found that the cookie used f | cvebase.io