A flaw was found in Keycloak in versions before 9.0.2. This flaw allows a malicious user that is currently logged in, to see the personal information of a previously logged out user in the account manager section.
According to WASC, “Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.”
Name | Vendor | Start Version | End Version |
---|---|---|---|
Keycloak | Redhat | * | 9.0.2 (excluding) |
Red Hat Runtimes Spring Boot 2.2.6 | RedHat | keycloak | * |
Red Hat Single Sign On 7.3.8 | RedHat | * | |
Red Hat Single Sign-On 7.3 for RHEL 6 | RedHat | rh-sso7-keycloak-0:4.8.20-1.Final_redhat_00001.1.el6sso | * |
Red Hat Single Sign-On 7.3 for RHEL 7 | RedHat | rh-sso7-keycloak-0:4.8.20-1.Final_redhat_00001.1.el7sso | * |
Red Hat Single Sign-On 7.3 for RHEL 8 | RedHat | rh-sso7-keycloak-0:4.8.20-1.Final_redhat_00001.1.el8sso | * |
Text-Only RHOAR | RedHat | * |