{
  "threat_severity" : "Low",
  "public_date" : "2024-04-16T00:00:00Z",
  "bugzilla" : {
    "description" : "keycloak: impersonation via logout token exchange",
    "id" : "2166728",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2166728"
  },
  "cvss3" : {
    "cvss3_base_score" : "3.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-273",
  "details" : [ "A flaw was found in Keycloak. This issue occurs due to improperly enforcing token types when validating signatures locally. This could allow an authenticated attacker to exchange a logout token for an access token and possibly gain access to data outside of enforced permissions.", "A flaw was found in Keycloak. This issue occurs due to improperly enforcing token types when validating signatures locally. This could allow an authenticated attacker to exchange a logout token for an access token and possibly gain access to data outside of enforced permissions." ],
  "affected_release" : [ {
    "product_name" : "Red Hat build of Keycloak 22",
    "release_date" : "2024-04-16T00:00:00Z",
    "advisory" : "RHSA-2024:1867",
    "cpe" : "cpe:/a:redhat:build_keycloak:22::el9",
    "package" : "rhbk/keycloak-operator-bundle:22.0.10-1"
  }, {
    "product_name" : "Red Hat build of Keycloak 22",
    "release_date" : "2024-04-16T00:00:00Z",
    "advisory" : "RHSA-2024:1867",
    "cpe" : "cpe:/a:redhat:build_keycloak:22::el9",
    "package" : "rhbk/keycloak-rhel9:22-13"
  }, {
    "product_name" : "Red Hat build of Keycloak 22",
    "release_date" : "2024-04-16T00:00:00Z",
    "advisory" : "RHSA-2024:1867",
    "cpe" : "cpe:/a:redhat:build_keycloak:22::el9",
    "package" : "rhbk/keycloak-rhel9-operator:22-16"
  }, {
    "product_name" : "Red Hat build of Keycloak 22.0.10",
    "release_date" : "2024-04-16T00:00:00Z",
    "advisory" : "RHSA-2024:1868",
    "cpe" : "cpe:/a:redhat:build_keycloak:22",
    "package" : "keycloak"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Single Sign-On 7",
    "fix_state" : "Fix deferred",
    "package_name" : "rh-sso7-keycloak",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-0657\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-0657" ],
  "name" : "CVE-2023-0657",
  "csaw" : false
}