Keycloak vulnerable to impersonation via logout token exchange
Package
Affected versions
< 22.0.10
>= 23.0.0, < 24.0.3
Patched versions
22.0.10
24.0.3
Description
Published to the GitHub Advisory Database
Apr 17, 2024
Reviewed
Apr 17, 2024
Last updated
Apr 17, 2024
Keycloak was found to not properly enforce token types when validating signatures locally. An authenticated attacker could use this flaw to exchange a logout token for an access token and possibly gain access to data outside of enforced permissions.
References