2023-09-20 16:00:28 +00:00
{
"id" : "CVE-2022-3916" ,
"sourceIdentifier" : "secalert@redhat.com" ,
"published" : "2023-09-20T15:15:11.583" ,
2023-09-22 20:00:28 +00:00
"lastModified" : "2023-09-22T18:34:15.783" ,
"vulnStatus" : "Analyzed" ,
2023-09-20 16:00:28 +00:00
"descriptions" : [
{
"lang" : "en" ,
"value" : "A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user."
2023-09-22 20:00:28 +00:00
} ,
{
"lang" : "es" ,
"value" : "Se encontr\u00f3 una falla en el alcance offline_access en Keycloak. Este problema afectar\u00eda m\u00e1s a los usuarios de ordenadores compartidos (especialmente si las cookies no se borran), debido a la falta de validaci\u00f3n de la sesi\u00f3n root y a la reutilizaci\u00f3n de los identificadores de sesi\u00f3n en las sesiones de autenticaci\u00f3n de usuario y root. Esto permite a un atacante resolver una sesi\u00f3n de usuario adjunta a un usuario previamente autenticado; al utilizar el token de actualizaci\u00f3n, se les emitir\u00e1 un token para el usuario original."
2023-09-20 16:00:28 +00:00
}
] ,
"metrics" : {
"cvssMetricV31" : [
2023-09-22 20:00:28 +00:00
{
"source" : "nvd@nist.gov" ,
"type" : "Primary" ,
"cvssData" : {
"version" : "3.1" ,
"vectorString" : "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N" ,
"attackVector" : "NETWORK" ,
"attackComplexity" : "HIGH" ,
"privilegesRequired" : "LOW" ,
"userInteraction" : "NONE" ,
"scope" : "UNCHANGED" ,
"confidentialityImpact" : "HIGH" ,
"integrityImpact" : "HIGH" ,
"availabilityImpact" : "NONE" ,
"baseScore" : 6.8 ,
"baseSeverity" : "MEDIUM"
} ,
"exploitabilityScore" : 1.6 ,
"impactScore" : 5.2
} ,
2023-09-20 16:00:28 +00:00
{
"source" : "secalert@redhat.com" ,
"type" : "Secondary" ,
"cvssData" : {
"version" : "3.1" ,
"vectorString" : "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N" ,
"attackVector" : "NETWORK" ,
"attackComplexity" : "HIGH" ,
"privilegesRequired" : "LOW" ,
"userInteraction" : "NONE" ,
"scope" : "UNCHANGED" ,
"confidentialityImpact" : "HIGH" ,
"integrityImpact" : "HIGH" ,
"availabilityImpact" : "NONE" ,
"baseScore" : 6.8 ,
"baseSeverity" : "MEDIUM"
} ,
"exploitabilityScore" : 1.6 ,
"impactScore" : 5.2
}
]
} ,
2023-09-22 20:00:28 +00:00
"weaknesses" : [
{
"source" : "nvd@nist.gov" ,
"type" : "Primary" ,
"description" : [
{
"lang" : "en" ,
"value" : "CWE-613"
}
]
}
] ,
"configurations" : [
{
"nodes" : [
{
"operator" : "OR" ,
"negate" : false ,
"cpeMatch" : [
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*" ,
"versionEndExcluding" : "20.0.2" ,
"matchCriteriaId" : "53DA67A0-2E85-499E-B8E1-2B12C433BC29"
} ,
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*" ,
"matchCriteriaId" : "341E6313-20D5-44CB-9719-B20585DC5AD6"
}
]
}
]
} ,
{
"operator" : "AND" ,
"nodes" : [
{
"operator" : "OR" ,
"negate" : false ,
"cpeMatch" : [
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:redhat:single_sign-on:7.6:*:*:*:*:*:*:*" ,
"matchCriteriaId" : "2DEC61BC-E699-456E-99B6-C049F2A5F23F"
}
]
} ,
{
"operator" : "OR" ,
"negate" : false ,
"cpeMatch" : [
{
"vulnerable" : false ,
"criteria" : "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*" ,
"matchCriteriaId" : "142AD0DD-4CF3-4D74-9442-459CE3347E3A"
} ,
{
"vulnerable" : false ,
"criteria" : "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*" ,
"matchCriteriaId" : "F4CFF558-3C47-480D-A2F0-BABF26042943"
} ,
{
"vulnerable" : false ,
"criteria" : "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*" ,
"matchCriteriaId" : "7F6FB57C-2BC7-487C-96DD-132683AEB35D"
}
]
}
]
} ,
{
"operator" : "AND" ,
"nodes" : [
{
"operator" : "OR" ,
"negate" : false ,
"cpeMatch" : [
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:redhat:openshift_container_platform:4.9:*:*:*:*:*:*:*" ,
"matchCriteriaId" : "81609549-25CE-4C8A-9DE3-170D23704208"
} ,
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:redhat:openshift_container_platform:4.10:*:*:*:*:*:*:*" ,
"matchCriteriaId" : "0595C9F8-9C7A-4FC1-B7EE-52978A1B1E93"
} ,
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.9:*:*:*:*:*:*:*" ,
"matchCriteriaId" : "B02036DD-4489-480B-B7D4-4EB08952377B"
} ,
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.10:*:*:*:*:*:*:*" ,
"matchCriteriaId" : "C7E78C55-45B6-4E01-9773-D3468F8EA9C3"
} ,
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:redhat:openshift_container_platform_for_power:4.9:*:*:*:*:*:*:*" ,
"matchCriteriaId" : "30E2CF79-2D56-48AB-952E-5DDAFE471073"
} ,
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:redhat:openshift_container_platform_for_power:4.10:*:*:*:*:*:*:*" ,
"matchCriteriaId" : "54E24055-813B-4E6D-94B7-FAD5F78B8537"
} ,
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:redhat:openshift_container_platform_ibm_z_systems:4.9:*:*:*:*:*:*:*" ,
"matchCriteriaId" : "CC262C4C-7B6A-4117-A50F-1FF69296DDD8"
} ,
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:redhat:openshift_container_platform_ibm_z_systems:4.10:*:*:*:*:*:*:*" ,
"matchCriteriaId" : "E58526FB-522F-4AAC-B03C-9CAB443D0CFF"
}
]
} ,
{
"operator" : "OR" ,
"negate" : false ,
"cpeMatch" : [
{
"vulnerable" : false ,
"criteria" : "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*" ,
"matchCriteriaId" : "F4CFF558-3C47-480D-A2F0-BABF26042943"
}
]
}
]
}
] ,
2023-09-20 16:00:28 +00:00
"references" : [
{
"url" : "https://access.redhat.com/errata/RHSA-2022:8961" ,
2023-09-22 20:00:28 +00:00
"source" : "secalert@redhat.com" ,
"tags" : [
"Vendor Advisory"
]
2023-09-20 16:00:28 +00:00
} ,
{
"url" : "https://access.redhat.com/errata/RHSA-2022:8962" ,
2023-09-22 20:00:28 +00:00
"source" : "secalert@redhat.com" ,
"tags" : [
"Vendor Advisory"
]
2023-09-20 16:00:28 +00:00
} ,
{
"url" : "https://access.redhat.com/errata/RHSA-2022:8963" ,
2023-09-22 20:00:28 +00:00
"source" : "secalert@redhat.com" ,
"tags" : [
"Vendor Advisory"
]
2023-09-20 16:00:28 +00:00
} ,
{
"url" : "https://access.redhat.com/errata/RHSA-2022:8964" ,
2023-09-22 20:00:28 +00:00
"source" : "secalert@redhat.com" ,
"tags" : [
"Vendor Advisory"
]
2023-09-20 16:00:28 +00:00
} ,
{
"url" : "https://access.redhat.com/errata/RHSA-2022:8965" ,
2023-09-22 20:00:28 +00:00
"source" : "secalert@redhat.com" ,
"tags" : [
"Vendor Advisory"
]
2023-09-20 16:00:28 +00:00
} ,
{
"url" : "https://access.redhat.com/errata/RHSA-2023:1043" ,
2023-09-22 20:00:28 +00:00
"source" : "secalert@redhat.com" ,
"tags" : [
"Vendor Advisory"
]
2023-09-20 16:00:28 +00:00
} ,
{
"url" : "https://access.redhat.com/errata/RHSA-2023:1044" ,
2023-09-22 20:00:28 +00:00
"source" : "secalert@redhat.com" ,
"tags" : [
"Vendor Advisory"
]
2023-09-20 16:00:28 +00:00
} ,
{
"url" : "https://access.redhat.com/errata/RHSA-2023:1045" ,
2023-09-22 20:00:28 +00:00
"source" : "secalert@redhat.com" ,
"tags" : [
"Vendor Advisory"
]
2023-09-20 16:00:28 +00:00
} ,
{
"url" : "https://access.redhat.com/errata/RHSA-2023:1047" ,
2023-09-22 20:00:28 +00:00
"source" : "secalert@redhat.com" ,
"tags" : [
"Vendor Advisory"
]
2023-09-20 16:00:28 +00:00
} ,
{
"url" : "https://access.redhat.com/errata/RHSA-2023:1049" ,
2023-09-22 20:00:28 +00:00
"source" : "secalert@redhat.com" ,
"tags" : [
"Vendor Advisory"
]
2023-09-20 16:00:28 +00:00
} ,
{
"url" : "https://access.redhat.com/security/cve/CVE-2022-3916" ,
2023-09-22 20:00:28 +00:00
"source" : "secalert@redhat.com" ,
"tags" : [
"Vendor Advisory"
]
2023-09-20 16:00:28 +00:00
} ,
{
"url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2141404" ,
2023-09-22 20:00:28 +00:00
"source" : "secalert@redhat.com" ,
"tags" : [
"Issue Tracking" ,
"Vendor Advisory"
]
2023-09-20 16:00:28 +00:00
}
]
}
