CVE-2017-12159

Published: Oct 26, 2017Modified: May 13, 2026

7.5

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks.

Affected (3)

Products: Redhat: Single Sign On · Keycloak: Keycloak

1 product

1 product

Configuration A

2 vulnerable · 2 platform

Vulnerable Software	Affected Versions
Redhat Single Sign On	Version 7.0
Redhat Single Sign On	Version 7.1

Running on/with	Platform Versions
Redhat Enterprise Linux Server	Version 6.0
Redhat Enterprise Linux Server	Version 7.0

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Keycloak Keycloak	All versions

Related CWEs

CWE-613

Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

References (10)

http://www.securityfocus.com/bid/101601

Source: secalert@redhat.com

Third Party AdvisoryVDB Entry

https://access.redhat.com/errata/RHSA-2017:2904

Source: secalert@redhat.com

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:2905

Source: secalert@redhat.com

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:2906

Source: secalert@redhat.com

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=1484111

Source: secalert@redhat.com

Issue TrackingThird Party AdvisoryVDB Entry

http://www.securityfocus.com/bid/101601