CVE-2017-7474

keycloak-connect: auth token validity check ignored

Severity Score

9.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

It was found that the Keycloak Node.js adapter 2.5 - 3.0 did not handle invalid tokens correctly. An attacker could use this flaw to bypass authentication and gain access to restricted information, or to possibly conduct further attacks.

Se encontró que el adaptador de Keycloak Node.js 2.5 - 3.0 no controló correctamente los símbolos no válidos. Un atacante podría utilizar esta falla para omitir la autenticación y obtener acceso a información restringida, o posiblemente llevar a cabo otros ataques.

It was found that the Keycloak Node.js adapter did not handle invalid tokens correctly. An attacker could use this flaw to bypass authentication and gain access to restricted information, or to possibly conduct further attacks.

Red Hat Single Sign-On 7.1 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. The Node.js adapter provides a simple module for authentication and authorization in Node.js applications. This asynchronous patch is a security update for the Node.js adapter for Red Hat Single Sign-On 7.1. Multiple security issues have been addressed.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-04-05 CVE Reserved
2017-05-08 CVE Published
2024-08-05 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-253: Incorrect Check of Function Return Value

CAPEC

References (3)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
http://rhn.redhat.com/errata/RHSA-2017-1203.html	2019-10-03
https://bugzilla.redhat.com/show_bug.cgi?id=1445271	2017-05-08
https://access.redhat.com/security/cve/CVE-2017-7474	2017-05-08

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Keycloak Search vendor "Keycloak"		Keycloak-nodejs-auth-utils Search vendor "Keycloak" for product "Keycloak-nodejs-auth-utils"				2.5.0 Search vendor "Keycloak" for product "Keycloak-nodejs-auth-utils" and version "2.5.0"		-		Affected
Keycloak Search vendor "Keycloak"		Keycloak-nodejs-auth-utils Search vendor "Keycloak" for product "Keycloak-nodejs-auth-utils"				2.5.0 Search vendor "Keycloak" for product "Keycloak-nodejs-auth-utils" and version "2.5.0"		cr1		Affected
Keycloak Search vendor "Keycloak"		Keycloak-nodejs-auth-utils Search vendor "Keycloak" for product "Keycloak-nodejs-auth-utils"				2.5.1 Search vendor "Keycloak" for product "Keycloak-nodejs-auth-utils" and version "2.5.1"		-		Affected
Keycloak Search vendor "Keycloak"		Keycloak-nodejs-auth-utils Search vendor "Keycloak" for product "Keycloak-nodejs-auth-utils"				2.5.2 Search vendor "Keycloak" for product "Keycloak-nodejs-auth-utils" and version "2.5.2"		-		Affected
Keycloak Search vendor "Keycloak"		Keycloak-nodejs-auth-utils Search vendor "Keycloak" for product "Keycloak-nodejs-auth-utils"				2.5.3 Search vendor "Keycloak" for product "Keycloak-nodejs-auth-utils" and version "2.5.3"		-		Affected
Keycloak Search vendor "Keycloak"		Keycloak-nodejs-auth-utils Search vendor "Keycloak" for product "Keycloak-nodejs-auth-utils"				2.5.4 Search vendor "Keycloak" for product "Keycloak-nodejs-auth-utils" and version "2.5.4"		-		Affected
Keycloak Search vendor "Keycloak"		Keycloak-nodejs-auth-utils Search vendor "Keycloak" for product "Keycloak-nodejs-auth-utils"				2.5.5 Search vendor "Keycloak" for product "Keycloak-nodejs-auth-utils" and version "2.5.5"		-		Affected
Keycloak Search vendor "Keycloak"		Keycloak-nodejs-auth-utils Search vendor "Keycloak" for product "Keycloak-nodejs-auth-utils"				2.5.6 Search vendor "Keycloak" for product "Keycloak-nodejs-auth-utils" and version "2.5.6"		-		Affected
Keycloak Search vendor "Keycloak"		Keycloak-nodejs-auth-utils Search vendor "Keycloak" for product "Keycloak-nodejs-auth-utils"				2.5.7 Search vendor "Keycloak" for product "Keycloak-nodejs-auth-utils" and version "2.5.7"		-		Affected
Keycloak Search vendor "Keycloak"		Keycloak-nodejs-auth-utils Search vendor "Keycloak" for product "Keycloak-nodejs-auth-utils"				3.0.0 Search vendor "Keycloak" for product "Keycloak-nodejs-auth-utils" and version "3.0.0"		-		Affected
Keycloak Search vendor "Keycloak"		Keycloak-nodejs-auth-utils Search vendor "Keycloak" for product "Keycloak-nodejs-auth-utils"				3.0.0 Search vendor "Keycloak" for product "Keycloak-nodejs-auth-utils" and version "3.0.0"		cr1		Affected