CVE-2022-3916
Published: Sep 20, 2023
Modified: Aug 3, 2024
CVSS v3.1
6.8
Description
A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user.
| Vendor | Product | Versions |
|---|---|---|
Red Hat | Red Hat Single Sign-On 7 | All versions |
Red Hat | Red Hat Single Sign-On 7.6.1 | All versions |
Red Hat | Red Hat Single Sign-On 7.6 for RHEL 7 | unaffected 0:18.0.3-1.redhat_00002.1.el7sso - < * |
Red Hat | Red Hat Single Sign-On 7.6 for RHEL 7 | unaffected 0:18.0.6-1.redhat_00001.1.el7sso - < * |
Red Hat | Red Hat Single Sign-On 7.6 for RHEL 8 | unaffected 0:18.0.3-1.redhat_00002.1.el8sso - < * |
Red Hat | Red Hat Single Sign-On 7.6 for RHEL 8 | unaffected 0:18.0.6-1.redhat_00001.1.el8sso - < * |
Red Hat | Red Hat Single Sign-On 7.6 for RHEL 9 | unaffected 0:18.0.3-1.redhat_00002.1.el9sso - < * |
Red Hat | Red Hat Single Sign-On 7.6 for RHEL 9 | unaffected 0:18.0.6-1.redhat_00001.1.el9sso - < * |
Red Hat | RHEL-8 based Middleware Containers | unaffected 7.6-15 - < * |
Red Hat | RHEL-8 based Middleware Containers | unaffected 7.6-20 - < * |
Weaknesses (CWE)
CVSS v3.1 Details
CVSS v3.1 Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now