VDB
RHSA-2022%3A1709
RHSA-2022%3A1709
PUBLISHED
CVSS 8 HIGH
A privilege escalation flaw was found in the token exchange feature of keycloak. Missing authorization allows a client application holding a valid access token to exchange tokens for any target client by passing the client_id of the target. This could allow a client to gain unauthorized access to additional services.
Risk Scores
CVSS 3.1
8
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | Red Hat Single Sign-On 7 |
Timeline
- May 4, 2022 CVE Published
- Apr 23, 2026 CVE Updated
- May 1, 2026 Distribution Patch
- May 1, 2026 Distribution Patch
- May 1, 2026 Security Advisory
- May 1, 2026 Security Advisory
References
- https://access.redhat.com/errata/RHSA-2022:1709 advisory
- https://access.redhat.com/security/updates/classification/#moderate advisory
- https://access.redhat.com/security/cve/cve-2022-12454 advisory
- https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.5/html/release_notes/index advisory
- https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.rhsso&downloadType=patches&version=7.5 advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2071036 issue
- https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_1709.json advisory
- https://access.redhat.com/security/cve/CVE-2022-1245 advisory
- https://www.cve.org/CVERecord?id=CVE-2022-1245 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2022-1245 advisory
- https://github.com/keycloak/keycloak/security/advisories/GHSA-75p6-52g3-rqc8 advisory