Miggo Logo
Miggo Vulnerability Database
CVE-2023-0657

CVE-2023-0657: Keycloak vulnerable to impersonation via logout token exchange

3.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-0657
GHSA ID
GHSA-7fpj-9hr8-28vh
EPSS Score
0.19107%
CWE
CWE-273
Published
4/17/2024
Updated
11/18/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.keycloak:keycloak-servicesmaven< 22.0.1022.0.10
org.keycloak:keycloak-servicesmaven>= 23.0.0, < 24.0.324.0.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper enforcement of token types during signature validation. Keycloak's OIDC token handling flow involves TokenManager and TokenValidator classes for token verification. The described flaw matches scenarios where these components validate() cryptographic signatures without confirming the token's intended type (e.g., access token vs. logout token). The functions above are central to token validation and align with the CWEs listed (CWE-347, CWE-273), which indicate missing checks after cryptographic verification. While explicit patch details are unavailable, the vulnerability's mechanics strongly implicate these core token validation functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

K*y*lo*k w*s *oun* to not prop*rly *n*or** tok*n typ*s w**n v*li**tin* si*n*tur*s lo**lly. *n *ut**nti**t** *tt**k*r *oul* us* t*is *l*w to *x***n** * lo*out tok*n *or *n ****ss tok*n *n* possi*ly **in ****ss to **t* outsi** o* *n*or*** p*rmissions.

Reasoning

T** vuln*r**ility st*ms *rom improp*r *n*or**m*nt o* tok*n typ*s *urin* si*n*tur* v*li**tion. K*y*lo*k's OI** tok*n **n*lin* *low involv*s `Tok*nM*n***r` *n* `Tok*nV*li**tor` *l*ss*s *or tok*n v*ri*i**tion. T** **s*ri*** *l*w m*t***s s**n*rios w**r*