1445271 – (CVE-2017-7474) CVE-2017-7474 keycloak-connect: auth token validity check ignored

Bug 1445271 (CVE-2017-7474) - CVE-2017-7474 keycloak-connect: auth token validity check ignored

Summary: CVE-2017-7474 keycloak-connect: auth token validity check ignored

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2017-7474
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1444863
TreeView+	depends on / blocked

Reported:	2017-04-25 12:09 UTC by Chess Hazlett
Modified:	2021-02-17 02:13 UTC (History)
CC List:	3 users (show)
Fixed In Version:	keycloak 3.1.0
Clone Of:
Environment:
Last Closed:	2017-05-24 22:30:38 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2017:1203	0	normal	SHIPPED_LIVE	Important: Red Hat Single Sign-On Node.js adapter security update	2017-05-08 23:21:05 UTC

Description Chess Hazlett 2017-04-25 12:09:30 UTC

the nodejs auth-utils grant manager causes token validity to be ignored during validateGrant().

upstream jira KEYCLOAK-4771
pull request: https://github.com/keycloak/keycloak-nodejs-auth-utils/pull/49

Comment 2 Chess Hazlett 2017-05-01 17:08:43 UTC

Acknowledgments:

Name: Nick Shearer (Quest)

Comment 3 errata-xmlrpc 2017-05-08 19:21:20 UTC

This issue has been addressed in the following products:



Via RHSA-2017:1203 https://access.redhat.com/errata/RHSA-2017:1203

Note You need to log in before you can comment on or make changes to this bug.