VDB
CVE-2017-12159
CVE-2017-12159
PUBLISHED
CVSS 5 MEDIUM
It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks.
EPSS 0.59% · 69.6th percentile
Risk Scores
CVSS 2.0
5
EPSS Score
0.59%
69.6th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat, Inc. | keycloak | 3.4.0 |
| redhat | single_sign_on | 7.0, 7.1 |
| Maven | org.keycloak:keycloak-parent | 0 |
| keycloak | keycloak |
Exploit Intelligence
- https://bugzilla.redhat.com/show_bug.cgi?id=1484111 (circl)
- RHSA-2017:2904 (circl)
- RHSA-2017:2905 (circl)
- RHSA-2017:2906 (circl)
- 101601 (circl)
Timeline
- Oct 26, 2017 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Oct 26, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Feb 28, 2022 EPSS Score
- May 2, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
- Nov 6, 2022 EPSS Score
- Jan 8, 2023 EPSS Score
- Mar 11, 2023 EPSS Score
References
- https://bugzilla.redhat.com/show_bug.cgi?id=1484111 url
- RHSA-2017:2904 vendor-advisory
- RHSA-2017:2905 vendor-advisory
- RHSA-2017:2906 vendor-advisory
- 101601 vdb
- https://nvd.nist.gov/vuln/detail/CVE-2017-12159 advisory
- https://web.archive.org/web/20210124113906/http://www.securityfocus.com/bid/101601 url