CVE-2017-7474 - OpenCVE

It was found that the Keycloak Node.js adapter 2.5 - 3.0 did not handle invalid tokens correctly. An attacker could use this flaw to bypass authentication and gain access to restricted information, or to possibly conduct further attacks.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Keycloak	Keycloak-nodejs-auth-utils

Configuration 1 [-]

OR	cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:2.5.0:::::::*
	cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:2.5.0:cr1::::::
	cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:2.5.1:::::::*
	cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:2.5.2:::::::*
	cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:2.5.3:::::::*
	cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:2.5.4:::::::*
	cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:2.5.5:::::::*
	cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:2.5.6:::::::*
	cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:2.5.7:::::::*
	cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:3.0.0:::::::*
	cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:3.0.0:cr1::::::

References

Link	Resource
http://rhn.redhat.com/errata/RHSA-2017-1203.html
https://bugzilla.redhat.com/show_bug.cgi?id=1445271	Issue Tracking Third Party Advisory VDB Entry

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2017-05-12T19:00:00

Updated: 2018-01-04T19:57:01

Reserved: 2017-04-05T00:00:00

Link: CVE-2017-7474

JSON object: View

NVD Information

Status : Modified

Published: 2017-05-12T19:29:00.160

Modified: 2019-10-03T00:03:26.223

Link: CVE-2017-7474

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "Keycloak Node.js adapter", "vendor": "Red Hat, Inc.", "versions": [{"status": "affected", "version": "2.5 - 3.0"}]}], "datePublic": "2017-05-12T00:00:00", "descriptions": [{"lang": "en", "value": "It was found that the Keycloak Node.js adapter 2.5 - 3.0 did not handle invalid tokens correctly. An attacker could use this flaw to bypass authentication and gain access to restricted information, or to possibly conduct further attacks."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-253", "description": "CWE-253", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-01-04T19:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1445271"}, {"name": "RHSA-2017:1203", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2017-1203.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2017-7474", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Keycloak Node.js adapter", "version": {"version_data": [{"version_value": "2.5 - 3.0"}]}}]}, "vendor_name": "Red Hat, Inc."}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "It was found that the Keycloak Node.js adapter 2.5 - 3.0 did not handle invalid tokens correctly. An attacker could use this flaw to bypass authentication and gain access to restricted information, or to possibly conduct further attacks."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-253"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1445271", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1445271"}, {"name": "RHSA-2017:1203", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2017-1203.html"}]}}}}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2017-7474", "datePublished": "2017-05-12T19:00:00", "dateReserved": "2017-04-05T00:00:00", "dateUpdated": "2018-01-04T19:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:2.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "293C81B0-D88C-4219-AB11-CD85144E56FE", "vulnerable": true}, {"criteria": "cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:2.5.0:cr1:*:*:*:*:*:*", "matchCriteriaId": "A926EAEF-798A-4CE0-862F-3D9B5BDC0613", "vulnerable": true}, {"criteria": "cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:2.5.1:*:*:*:*:*:*:*", "matchCriteriaId": "6D9EC356-A999-4CFB-8091-AEA76FAB0CE2", "vulnerable": true}, {"criteria": "cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:2.5.2:*:*:*:*:*:*:*", "matchCriteriaId": "8A48D798-909D-457F-8D0D-74CD686679E7", "vulnerable": true}, {"criteria": "cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:2.5.3:*:*:*:*:*:*:*", "matchCriteriaId": "AA0DBE63-7B46-4841-BE10-F0EDE7B2F8A8", "vulnerable": true}, {"criteria": "cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:2.5.4:*:*:*:*:*:*:*", "matchCriteriaId": "F5AA4E71-08F5-4CCB-B0C8-3D140704BF4F", "vulnerable": true}, {"criteria": "cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:2.5.5:*:*:*:*:*:*:*", "matchCriteriaId": "DFD34084-6B9F-43A8-B0EC-B5ABCED7862B", "vulnerable": true}, {"criteria": "cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:2.5.6:*:*:*:*:*:*:*", "matchCriteriaId": "1366536F-BA86-49CB-98FB-6C0AA80B4B87", "vulnerable": true}, {"criteria": "cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:2.5.7:*:*:*:*:*:*:*", "matchCriteriaId": "E6904521-34F0-4481-8914-5EEF385D2249", "vulnerable": true}, {"criteria": "cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:3.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "16BA3E71-4CC7-4E35-AA9F-AFB41C66AD5F", "vulnerable": true}, {"criteria": "cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:3.0.0:cr1:*:*:*:*:*:*", "matchCriteriaId": "EC11E39C-767D-4385-9371-DC03A8DD1E30", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "It was found that the Keycloak Node.js adapter 2.5 - 3.0 did not handle invalid tokens correctly. An attacker could use this flaw to bypass authentication and gain access to restricted information, or to possibly conduct further attacks."}, {"lang": "es", "value": "Se encontr\u00f3 que el adaptador de Keycloak Node.js 2.5 - 3.0 no control\u00f3 correctamente los s\u00edmbolos no v\u00e1lidos. Un atacante podr\u00eda utilizar esta falla para omitir la autenticaci\u00f3n y obtener acceso a informaci\u00f3n restringida, o posiblemente llevar a cabo otros ataques."}], "id": "CVE-2017-7474", "lastModified": "2019-10-03T00:03:26.223", "metrics": {"cvssMetricV2": [{"acInsufInfo": true, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-05-12T19:29:00.160", "references": [{"source": "secalert@redhat.com", "url": "http://rhn.redhat.com/errata/RHSA-2017-1203.html"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory", "VDB Entry"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1445271"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-253"}], "source": "secalert@redhat.com", "type": "Secondary"}]}