CVE-2023-0657 — Keycloak vulnerable to impersonation via logout token exchange

Description

Keycloak was found to not properly enforce token types when validating signatures locally. An authenticated attacker could use this flaw to exchange a logout token for an access token and possibly gain access to data outside of enforced permissions.

How to fix CVE-2023-0657

To remediate CVE-2023-0657, upgrade the affected package to a fixed version below.

—upgrade to 22.0.10 or later

Is CVE-2023-0657 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 22.0.10

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW3.4	CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-0657
PATCHgithub.com/keycloak/keycloak
WEBaccess.redhat.com/errata/RHSA-2024:1867
WEBaccess.redhat.com/errata/RHSA-2024:1868
WEBaccess.redhat.com