Lucene search
GoogleOSV:GHSA-W6GV-3R3V-GWGJHistoryOct 18, 2018 - 4:47 p.m.
keycloak-core vulnerable to timing attacks against JWS token verification
2018-10-1816:47:41
Google
osv.dev
13
EPSS
0.004
Percentile
73.5%
Red Hat Keycloak before version 2.5.1 has an implementation of HMAC verification for JWS tokens that uses a method that runs in non-constant time, potentially leaving the application vulnerable to timing attacks.
References
rhn.redhat.com/errata/RHSA-2017-0876.html
access.redhat.com/errata/RHSA-2017:0872
access.redhat.com/errata/RHSA-2017:0873
bugzilla.redhat.com/show_bug.cgi?id=1412376
github.com/advisories/GHSA-w6gv-3r3v-gwgj
nvd.nist.gov/vuln/detail/CVE-2017-2585
web.archive.org/web/20170420113802/www.securitytracker.com/id/1038180
web.archive.org/web/20200227175650/www.securityfocus.com/bid/97393
Related
veracode
veracode
Timing Attacks
2017-04-05 06:18:12
nvd
nvd
CVE-2017-2585
2018-03-12 15:29:00
redhatcve
redhatcve
CVE-2017-2585
2017-04-04 16:48:04
cvelist
cvelist
CVE-2017-2585
2018-03-12 15:00:00
cve
cve
CVE-2017-2585
2018-03-12 15:29:00
prion
prion
Design/Logic Flaw
2018-03-12 15:29:00
osv
osv
CVE-2017-2585
2018-03-12 15:29:00
github
github
keycloak-core vulnerable to timing attacks against JWS token verification
2018-10-18 16:47:41
redhat
redhat
(RHSA-2017:0872) Moderate: Red Hat Single Sign-On 7.1 update on RHEL 6
2017-04-04 17:08:32
(RHSA-2017:0876) Moderate: Red Hat Single Sign-On 7.1 update
2017-04-04 17:13:48
(RHSA-2017:0873) Moderate: Red Hat Single Sign-On 7.1 update on RHEL 7
2017-04-04 17:08:47
nessus
nessus
RHEL 7 : Single Sign-On (RHSA-2017:0873)
2018-09-06 00:00:00