CVE-2017-7474 : It was found that the Keycloak Node.js adapter 2.5

It was found that the Keycloak Node.js adapter 2.5 - 3.0 did not handle invalid tokens correctly. An attacker could use this flaw to bypass authentication and gain access to restricted information, or to possibly conduct further attacks.

Published 2017-05-12 19:29:00

Updated 2019-10-03 00:03:26

Source Red Hat, Inc.

View at NVD, CVE.org

Products affected by CVE-2017-7474

Keycloak » Keycloak-nodejs-auth-utils » Version: 2.5.2
cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:2.5.2:*:*:*:*:*:*:*
Matching versions
Keycloak » Keycloak-nodejs-auth-utils » Version: 2.5.3
cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:2.5.3:*:*:*:*:*:*:*
Matching versions
Keycloak » Keycloak-nodejs-auth-utils » Version: 2.5.4
cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:2.5.4:*:*:*:*:*:*:*
Matching versions
Keycloak » Keycloak-nodejs-auth-utils » Version: 2.5.0
cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:2.5.0:*:*:*:*:*:*:*
Matching versions
Keycloak » Keycloak-nodejs-auth-utils » Version: 2.5.7
cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:2.5.7:*:*:*:*:*:*:*
Matching versions
Keycloak » Keycloak-nodejs-auth-utils » Version: 3.0.0
cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:3.0.0:*:*:*:*:*:*:*
Matching versions
Keycloak » Keycloak-nodejs-auth-utils » Version: 2.5.0 Update CR1
cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:2.5.0:cr1:*:*:*:*:*:*
Matching versions
Keycloak » Keycloak-nodejs-auth-utils » Version: 2.5.1
cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:2.5.1:*:*:*:*:*:*:*
Matching versions
Keycloak » Keycloak-nodejs-auth-utils » Version: 3.0.0 Update CR1
cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:3.0.0:cr1:*:*:*:*:*:*
Matching versions
Keycloak » Keycloak-nodejs-auth-utils » Version: 2.5.5
cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:2.5.5:*:*:*:*:*:*:*
Matching versions
Keycloak » Keycloak-nodejs-auth-utils » Version: 2.5.6
cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:2.5.6:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2017-7474

EPSS FAQ

0.13%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 29 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2017-7474

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P	10.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
9.8	CRITICAL	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2017-7474

CWE-253 Incorrect Check of Function Return Value

The product incorrectly checks a return value from a function, which prevents it from detecting errors or exceptional conditions.

Assigned by: secalert@redhat.com (Secondary)

References for CVE-2017-7474

https://bugzilla.redhat.com/show_bug.cgi?id=1445271

1445271 – (CVE-2017-7474) CVE-2017-7474 keycloak-connect: auth token validity check ignored
Issue Tracking;Third Party Advisory;VDB Entry
http://rhn.redhat.com/errata/RHSA-2017-1203.html

RHSA-2017:1203 - Security Advisory - Red Hat Customer Portal

Jump to

Vulnerability Details : CVE-2017-7474

Products affected by CVE-2017-7474

Exploit prediction scoring system (EPSS) score for CVE-2017-7474

CVSS scores for CVE-2017-7474

CWE ids for CVE-2017-7474

References for CVE-2017-7474