CVE-2016-8609

Description

It was found that the keycloak before 2.3.0 did not implement authentication flow correctly. An attacker could use this flaw to construct a phishing URL, from which he could hijack the user's session. This could lead to information disclosure, or permit further possible attacks.

CVSS breakdown

CVSS 3.0

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Affected products

Red Hat / keycloak2.3.0 – 2.3.0

References

MISChttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8609
MISChttp://rhn.redhat.com/errata/RHSA-2016-2945.html
MISChttp://www.securitytracker.com/id/1037460
MISChttp://www.securityfocus.com/bid/95070