CVE-2017-7474
First published: Tue Apr 25 2017(Updated: )
It was found that the Keycloak Node.js adapter 2.5 - 3.0 did not handle invalid tokens correctly. An attacker could use this flaw to bypass authentication and gain access to restricted information, or to possibly conduct further attacks.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/keycloak | <3.1.0 | 3.1.0 |
| Keycloak Keycloak-nodejs-auth-utils | =2.5.0 | |
| Keycloak Keycloak-nodejs-auth-utils | =2.5.0-cr1 | |
| Keycloak Keycloak-nodejs-auth-utils | =2.5.1 | |
| Keycloak Keycloak-nodejs-auth-utils | =2.5.2 | |
| Keycloak Keycloak-nodejs-auth-utils | =2.5.3 | |
| Keycloak Keycloak-nodejs-auth-utils | =2.5.4 | |
| Keycloak Keycloak-nodejs-auth-utils | =2.5.5 | |
| Keycloak Keycloak-nodejs-auth-utils | =2.5.6 | |
| Keycloak Keycloak-nodejs-auth-utils | =2.5.7 | |
| Keycloak Keycloak-nodejs-auth-utils | =3.0.0 | |
| Keycloak Keycloak-nodejs-auth-utils | =3.0.0-cr1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2017-7474
- https://bugzilla.redhat.com/show_bug.cgi?id=1445271
- http://rhn.redhat.com/errata/RHSA-2017-1203.html
- https://github.com/advisories/GHSA-mw35-24gh-f82w (Advisory)
- https://issues.jboss.org/browse/KEYCLOAK-4771
- https://github.com/keycloak/keycloak-nodejs-auth-utils/pull/49
- https://access.redhat.com/errata/RHSA-2017:1203
Frequently Asked Questions
What is the severity of CVE-2017-7474?
CVE-2017-7474 has a medium severity rating due to its potential for authentication bypass.
How do I fix CVE-2017-7474?
To fix CVE-2017-7474, upgrade to Keycloak Node.js adapter version 3.1.0 or later.
What versions are affected by CVE-2017-7474?
CVE-2017-7474 affects Keycloak Node.js adapter versions 2.5.0 through 3.0.0.
What could an attacker do with CVE-2017-7474?
An attacker could exploit CVE-2017-7474 to bypass authentication and access restricted information.
Is CVE-2017-7474 exploitable in production environments?
Yes, CVE-2017-7474 is exploitable in production environments if the affected versions are in use.
- collector/github-advisory-latest
- alias/GHSA-mw35-24gh-f82w
- alias/CVE-2017-7474
- collector/github-advisory
- collector/nvd-index
- collector/nvd-cve
- agent/author
- agent/type
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/severity
- agent/weakness
- agent/references
- agent/event
- agent/description
- agent/trending
- agent/tags
- agent/source
- package-manager/npm
- vendor/keycloak
- canonical/keycloak keycloak-nodejs-auth-utils
- version/keycloak keycloak-nodejs-auth-utils/2.5.0
- version/keycloak keycloak-nodejs-auth-utils/2.5.0-cr1
- version/keycloak keycloak-nodejs-auth-utils/2.5.1
- version/keycloak keycloak-nodejs-auth-utils/2.5.2
- version/keycloak keycloak-nodejs-auth-utils/2.5.3
- version/keycloak keycloak-nodejs-auth-utils/2.5.4
- version/keycloak keycloak-nodejs-auth-utils/2.5.5
- version/keycloak keycloak-nodejs-auth-utils/2.5.6
- version/keycloak keycloak-nodejs-auth-utils/2.5.7
- version/keycloak keycloak-nodejs-auth-utils/3.0.0
- version/keycloak keycloak-nodejs-auth-utils/3.0.0-cr1
- package-manager/redhat