CVE-2023-0657

A flaw was found in Keycloak. This issue occurs due to improperly enforcing token types when validating signatures locally. This could allow an authenticated attacker to exchange a logout token for an access token and possibly gain access to data outside of enforced permissions.

Published: Nov 17, 2024
Updated: May 4, 2025
CVE: CVE-2023-0657
GHSA: GHSA-7fpj-9hr8-28vh
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 3.4
AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

CWEs:

CWE-284
CWE-287
CWE-273
CWE-290
CWE-347

OWASP TOP 10:

A5 - Broken Access Control
A2 - Broken Authentication

Affected Software
References

Software	From	Fixed in
org.keycloak / keycloak-services	-	22.0.10
org.keycloak / keycloak-services	23.0.0	24.0.3

https://access.redhat.com/errata/RHSA-2024:1867
https://access.redhat.com/errata/RHSA-2024:1868
https://access.redhat.com/security/cve/CVE-2023-0657
https://bugzilla.redhat.com/show_bug.cgi?id=2166728
https://github.com/keycloak/keycloak/security/advisories/GHSA-7fpj-9hr8-28vh

Vulnerability Database

CVE-2023-0657

Deep Security Visibility Without the Complexity