Bug 1445271 (CVE-2017-7474)

Summary: CVE-2017-7474 keycloak-connect: auth token validity check ignored
Product: [Other] Security Response Reporter: Chess Hazlett <chazlett>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: chazlett, cobrien, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: keycloak 3.1.0 Doc Type: If docs needed, set a value
Doc Text:
It was found that the Keycloak Node.js adapter did not handle invalid tokens correctly. An attacker could use this flaw to bypass authentication and gain access to restricted information, or to possibly conduct further attacks.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-05-24 22:30:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1444863    

Description Chess Hazlett 2017-04-25 12:09:30 UTC 
the nodejs auth-utils grant manager causes token validity to be ignored during validateGrant().

upstream jira KEYCLOAK-4771
pull request: https://github.com/keycloak/keycloak-nodejs-auth-utils/pull/49
Comment 2 Chess Hazlett 2017-05-01 17:08:43 UTC 
Acknowledgments:

Name: Nick Shearer (Quest)
Comment 3 errata-xmlrpc 2017-05-08 19:21:20 UTC 
This issue has been addressed in the following products:



Via RHSA-2017:1203 https://access.redhat.com/errata/RHSA-2017:1203