CVE-2022-3916

Keycloak: session takeover with oidc offline refreshtokens

Severity Score

6.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user.

Se encontró una falla en el alcance offline_access en Keycloak. Este problema afectaría más a los usuarios de ordenadores compartidos (especialmente si las cookies no se borran), debido a la falta de validación de la sesión root y a la reutilización de los identificadores de sesión en las sesiones de autenticación de usuario y root. Esto permite a un atacante resolver una sesión de usuario adjunta a un usuario previamente autenticado; al utilizar el token de actualización, se les emitirá un token para el usuario original.

*Credits: Red Hat would like to thank Peter Flintholm (Trifork) for reporting this issue.

CVSS Scores

NISTv3.1 6.8

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2022-11-09 CVE Reserved
2022-12-13 CVE Published
2024-08-03 CVE Updated
2024-08-20 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-384: Session Fixation
CWE-613: Insufficient Session Expiration

CAPEC

References (12)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2022:8961	2023-11-07
https://access.redhat.com/errata/RHSA-2022:8962	2023-11-07
https://access.redhat.com/errata/RHSA-2022:8963	2023-11-07
https://access.redhat.com/errata/RHSA-2022:8964	2023-11-07
https://access.redhat.com/errata/RHSA-2022:8965	2023-11-07
https://access.redhat.com/errata/RHSA-2023:1043	2023-11-07
https://access.redhat.com/errata/RHSA-2023:1044	2023-11-07
https://access.redhat.com/errata/RHSA-2023:1045	2023-11-07
https://access.redhat.com/errata/RHSA-2023:1047	2023-11-07
https://access.redhat.com/errata/RHSA-2023:1049	2023-11-07
https://access.redhat.com/security/cve/CVE-2022-3916	2023-03-01
https://bugzilla.redhat.com/show_bug.cgi?id=2141404	2023-03-01

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Redhat Search vendor "Redhat"	Single Sign-on Search vendor "Redhat" for product "Single Sign-on"	7.6 Search vendor "Redhat" for product "Single Sign-on" and version "7.6"	-	Affected	in	Redhat Search vendor "Redhat"	Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"	7.0 Search vendor "Redhat" for product "Enterprise Linux" and version "7.0"	-	Safe
Redhat Search vendor "Redhat"	Single Sign-on Search vendor "Redhat" for product "Single Sign-on"	7.6 Search vendor "Redhat" for product "Single Sign-on" and version "7.6"	-	Affected	in	Redhat Search vendor "Redhat"	Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"	8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0"	-	Safe
Redhat Search vendor "Redhat"	Single Sign-on Search vendor "Redhat" for product "Single Sign-on"	7.6 Search vendor "Redhat" for product "Single Sign-on" and version "7.6"	-	Affected	in	Redhat Search vendor "Redhat"	Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"	9.0 Search vendor "Redhat" for product "Enterprise Linux" and version "9.0"	-	Safe
Redhat Search vendor "Redhat"	Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform"	4.9 Search vendor "Redhat" for product "Openshift Container Platform" and version "4.9"	-	Affected	in	Redhat Search vendor "Redhat"	Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"	8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0"	-	Safe
Redhat Search vendor "Redhat"	Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform"	4.10 Search vendor "Redhat" for product "Openshift Container Platform" and version "4.10"	-	Affected	in	Redhat Search vendor "Redhat"	Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"	8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0"	-	Safe
Redhat Search vendor "Redhat"	Openshift Container Platform For Linuxone Search vendor "Redhat" for product "Openshift Container Platform For Linuxone"	4.9 Search vendor "Redhat" for product "Openshift Container Platform For Linuxone" and version "4.9"	-	Affected	in	Redhat Search vendor "Redhat"	Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"	8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0"	-	Safe
Redhat Search vendor "Redhat"	Openshift Container Platform For Linuxone Search vendor "Redhat" for product "Openshift Container Platform For Linuxone"	4.10 Search vendor "Redhat" for product "Openshift Container Platform For Linuxone" and version "4.10"	-	Affected	in	Redhat Search vendor "Redhat"	Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"	8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0"	-	Safe
Redhat Search vendor "Redhat"	Openshift Container Platform For Power Search vendor "Redhat" for product "Openshift Container Platform For Power"	4.9 Search vendor "Redhat" for product "Openshift Container Platform For Power" and version "4.9"	-	Affected	in	Redhat Search vendor "Redhat"	Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"	8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0"	-	Safe
Redhat Search vendor "Redhat"	Openshift Container Platform For Power Search vendor "Redhat" for product "Openshift Container Platform For Power"	4.10 Search vendor "Redhat" for product "Openshift Container Platform For Power" and version "4.10"	-	Affected	in	Redhat Search vendor "Redhat"	Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"	8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0"	-	Safe
Redhat Search vendor "Redhat"	Openshift Container Platform Ibm Z Systems Search vendor "Redhat" for product "Openshift Container Platform Ibm Z Systems"	4.9 Search vendor "Redhat" for product "Openshift Container Platform Ibm Z Systems" and version "4.9"	-	Affected	in	Redhat Search vendor "Redhat"	Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"	8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0"	-	Safe
Redhat Search vendor "Redhat"	Openshift Container Platform Ibm Z Systems Search vendor "Redhat" for product "Openshift Container Platform Ibm Z Systems"	4.10 Search vendor "Redhat" for product "Openshift Container Platform Ibm Z Systems" and version "4.10"	-	Affected	in	Redhat Search vendor "Redhat"	Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"	8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0"	-	Safe
Redhat Search vendor "Redhat"		Keycloak Search vendor "Redhat" for product "Keycloak"				< 20.0.2 Search vendor "Redhat" for product "Keycloak" and version " < 20.0.2"		-		Affected
Redhat Search vendor "Redhat"		Single Sign-on Search vendor "Redhat" for product "Single Sign-on"				-		text-only		Affected