CVE-2018-10912Infinite Loop in Redhat Keycloak

CWE-835Infinite Loop11 documents6 sources
Severity
4.9MEDIUMNVD
EPSS
0.5%
top 35.25%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Redhat KeycloakRedhat Single Sign-on
Timeline
PublishedJul 23
Latest updateJun 12

Description

keycloak before version 4.0.0.final is vulnerable to a infinite loop in session replacement. A Keycloak cluster with multiple nodes could mishandle an expired session replacement and lead to an infinite loop. A malicious authenticated user could use this flaw to achieve Denial of Service on the server.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:HExploitability: 1.2 | Impact: 3.6

Affected Packages2 packages

NVDredhat/keycloak< 4.0.0

🔴Vulnerability Details

3
OSV
Moderate severity vulnerability that affects org.keycloak:keycloak-core2018-10-18
GHSA
Moderate severity vulnerability that affects org.keycloak:keycloak-core2018-10-18
CVEList
CVE-2018-10912: keycloak before version 42018-07-23

📋Vendor Advisories

1
Red Hat
keycloak: infinite loop in session replacement leading to denial of service2018-05-25

💬Community

2
Bugzilla
CVE-2019-10909 CVE-2019-10910 CVE-2019-10912 CVE-2019-10913 CVE-2018-19790 CVE-2018-19789 php-symfony: Multiple vulnerabilities fixed in symfony 2.8.72019-06-12
Bugzilla
CVE-2018-10912 keycloak: infinite loop in session replacement leading to denial of service2018-07-23
CVE-2018-10912 — Infinite Loop in Redhat Keycloak | cvebase