CVE-2022-1245
08.07.2022, 00:15
A privilege escalation flaw was found in the token exchange feature of keycloak. Missing authorization allows a client application holding a valid access token to exchange tokens for any target client by passing the client_id of the target. This could allow a client to gain unauthorized access to additional services.Enginsight
| Vendor | Product | Version |
|---|---|---|
| redhat | keycloak | 𝑥 < 18.0.0 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-862 - Missing AuthorizationThe software does not perform an authorization check when an actor attempts to access a resource or perform an action.
- CWE-639 - Authorization Bypass Through User-Controlled KeyThe system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.