CVE-2017-7474

high-risk
Published 2017-05-12

It was found that the Keycloak Node.js adapter 2.5 - 3.0 did not handle invalid tokens correctly. An attacker could use this flaw to bypass authentication and gain access to restricted information, or to possibly conduct further attacks.

Do I need to act?

~
1.7% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (11)

Keycloak-Nodejs-Auth-Utils
Keycloak-Nodejs-Auth-Utils
Keycloak-Nodejs-Auth-Utils
Keycloak-Nodejs-Auth-Utils
Keycloak-Nodejs-Auth-Utils
Keycloak-Nodejs-Auth-Utils
Keycloak-Nodejs-Auth-Utils
Keycloak-Nodejs-Auth-Utils
Keycloak-Nodejs-Auth-Utils
Keycloak-Nodejs-Auth-Utils
Keycloak-Nodejs-Auth-Utils

Affected Vendors

Keycloak

References (4)

http://rhn.redhat.com/errata/RHSA-2017-1203.html
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1445271
http://rhn.redhat.com/errata/RHSA-2017-1203.html
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1445271
53
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 5/34 · Minimal
Exposure 16/34 · Moderate