Bug 1484111 (CVE-2017-12159)
Summary: | CVE-2017-12159 keycloak: CSRF token fixation | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Chess Hazlett <chazlett> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | bdawidow, chazlett, drieden, drusso, jmadigan, jshepherd, kpiwko, lgriffin, ngough, pbraun, pdrozd, pwright, rrajasek, security-response-team, sthorger, trepel |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Keycloak 3.3.0.Final, Keycloak 3.4.0.Final | Doc Type: | If docs needed, set a value |
Doc Text: |
It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-10-21 11:55:33 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1484091 |
Description
Chess Hazlett
2017-08-22 17:35:32 UTC
Acknowledgments: Name: Prapti Mittal This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2017:2906 https://access.redhat.com/errata/RHSA-2017:2906 This issue has been addressed in the following products: Red Hat Single Sign-On 7.1 for RHEL 6 Via RHSA-2017:2904 https://access.redhat.com/errata/RHSA-2017:2904 This issue has been addressed in the following products: Red Hat Single Sign-On 7.1 for RHEL 7 Via RHSA-2017:2905 https://access.redhat.com/errata/RHSA-2017:2905 In version 1.3.1 of keycloak, used by RHMAP, CSRF cookie wasn't added yet. Setting RHMAP as not affected. https://github.com/keycloak/keycloak/blob/1.3.1.Final/services/src/main/java/org/keycloak/services/resources/WelcomeResource.java |