{"containers": {"cna": {"affected": [{"product": "Keycloak Node.js adapter", "vendor": "Red Hat, Inc.", "versions": [{"status": "affected", "version": "2.5 - 3.0"}]}], "datePublic": "2017-05-12T00:00:00", "descriptions": [{"lang": "en", "value": "It was found that the Keycloak Node.js adapter 2.5 - 3.0 did not handle invalid tokens correctly. An attacker could use this flaw to bypass authentication and gain access to restricted information, or to possibly conduct further attacks."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-253", "description": "CWE-253", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-01-04T19:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1445271"}, {"name": "RHSA-2017:1203", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2017-1203.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2017-7474", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Keycloak Node.js adapter", "version": {"version_data": [{"version_value": "2.5 - 3.0"}]}}]}, "vendor_name": "Red Hat, Inc."}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "It was found that the Keycloak Node.js adapter 2.5 - 3.0 did not handle invalid tokens correctly. An attacker could use this flaw to bypass authentication and gain access to restricted information, or to possibly conduct further attacks."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-253"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1445271", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1445271"}, {"name": "RHSA-2017:1203", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2017-1203.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T16:04:11.544Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1445271"}, {"name": "RHSA-2017:1203", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2017-1203.html"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2017-7474", "datePublished": "2017-05-12T19:00:00", "dateReserved": "2017-04-05T00:00:00", "dateUpdated": "2024-08-05T16:04:11.544Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:2.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "293C81B0-D88C-4219-AB11-CD85144E56FE", "vulnerable": true}, {"criteria": "cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:2.5.0:cr1:*:*:*:*:*:*", "matchCriteriaId": "A926EAEF-798A-4CE0-862F-3D9B5BDC0613", "vulnerable": true}, {"criteria": "cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:2.5.1:*:*:*:*:*:*:*", "matchCriteriaId": "6D9EC356-A999-4CFB-8091-AEA76FAB0CE2", "vulnerable": true}, {"criteria": "cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:2.5.2:*:*:*:*:*:*:*", "matchCriteriaId": "8A48D798-909D-457F-8D0D-74CD686679E7", "vulnerable": true}, {"criteria": "cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:2.5.3:*:*:*:*:*:*:*", "matchCriteriaId": "AA0DBE63-7B46-4841-BE10-F0EDE7B2F8A8", "vulnerable": true}, {"criteria": "cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:2.5.4:*:*:*:*:*:*:*", "matchCriteriaId": "F5AA4E71-08F5-4CCB-B0C8-3D140704BF4F", "vulnerable": true}, {"criteria": "cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:2.5.5:*:*:*:*:*:*:*", "matchCriteriaId": "DFD34084-6B9F-43A8-B0EC-B5ABCED7862B", "vulnerable": true}, {"criteria": "cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:2.5.6:*:*:*:*:*:*:*", "matchCriteriaId": "1366536F-BA86-49CB-98FB-6C0AA80B4B87", "vulnerable": true}, {"criteria": "cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:2.5.7:*:*:*:*:*:*:*", "matchCriteriaId": "E6904521-34F0-4481-8914-5EEF385D2249", "vulnerable": true}, {"criteria": "cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:3.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "16BA3E71-4CC7-4E35-AA9F-AFB41C66AD5F", "vulnerable": true}, {"criteria": "cpe:2.3:a:keycloak:keycloak-nodejs-auth-utils:3.0.0:cr1:*:*:*:*:*:*", "matchCriteriaId": "EC11E39C-767D-4385-9371-DC03A8DD1E30", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "It was found that the Keycloak Node.js adapter 2.5 - 3.0 did not handle invalid tokens correctly. An attacker could use this flaw to bypass authentication and gain access to restricted information, or to possibly conduct further attacks."}, {"lang": "es", "value": "Se encontr\u00f3 que el adaptador de Keycloak Node.js 2.5 - 3.0 no control\u00f3 correctamente los s\u00edmbolos no v\u00e1lidos. Un atacante podr\u00eda utilizar esta falla para omitir la autenticaci\u00f3n y obtener acceso a informaci\u00f3n restringida, o posiblemente llevar a cabo otros ataques."}], "id": "CVE-2017-7474", "lastModified": "2025-04-20T01:37:25.860", "metrics": {"cvssMetricV2": [{"acInsufInfo": true, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-05-12T19:29:00.160", "references": [{"source": "secalert@redhat.com", "url": "http://rhn.redhat.com/errata/RHSA-2017-1203.html"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory", "VDB Entry"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1445271"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://rhn.redhat.com/errata/RHSA-2017-1203.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory", "VDB Entry"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1445271"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-253"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Nick Shearer (Quest) for reporting this issue.", "affected_release": [{"advisory": "RHSA-2017:1203", "cpe": "cpe:/a:redhat:jboss_single_sign_on:7.1", "product_name": "Red Hat Single Sign-On 7.1", "release_date": "2017-05-08T00:00:00Z"}], "bugzilla": {"description": "keycloak-connect: auth token validity check ignored", "id": "1445271", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1445271"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "status": "verified"}, "cwe": "CWE-253", "details": ["It was found that the Keycloak Node.js adapter 2.5 - 3.0 did not handle invalid tokens correctly. An attacker could use this flaw to bypass authentication and gain access to restricted information, or to possibly conduct further attacks.", "It was found that the Keycloak Node.js adapter did not handle invalid tokens correctly. An attacker could use this flaw to bypass authentication and gain access to restricted information, or to possibly conduct further attacks."], "name": "CVE-2017-7474", "package_state": [{"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Affected", "package_name": "keycloak-connect", "product_name": "Red Hat Single Sign-On 7"}], "public_date": "2017-05-08T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2017-7474\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-7474"], "threat_severity": "Important"}