CVE-2017-7474: High severity vulnerability that affects keycloak-connect and keycloak-js

November 15, 2017 (updated January 8, 2021)

It was found that the Keycloak Node.js adapter 2.5 - 3.0 did not handle invalid tokens correctly. An attacker could use this flaw to bypass authentication and gain access to restricted information, or to possibly conduct further attacks.

References

rhn.redhat.com/errata/RHSA-2017-1203.html
bugzilla.redhat.com/show_bug.cgi?id=1445271
github.com/advisories/GHSA-mw35-24gh-f82w
nvd.nist.gov/vuln/detail/CVE-2017-7474

Code Behaviors & Features

Detect and mitigate CVE-2017-7474 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →