org.keycloak:keycloak-services is vulnerable to improper authentication. The reuse of session IDs across root, user authentication sessions and the lack of root session validation allow remote attackers to resolve a user session attached to the previously authenticated user in the offline_access
scope.
access.redhat.com/errata/RHSA-2022:8961
access.redhat.com/errata/RHSA-2022:8962
access.redhat.com/errata/RHSA-2022:8963
access.redhat.com/errata/RHSA-2022:8964
access.redhat.com/errata/RHSA-2022:8965
access.redhat.com/errata/RHSA-2023:1043
access.redhat.com/errata/RHSA-2023:1044
access.redhat.com/errata/RHSA-2023:1045
access.redhat.com/errata/RHSA-2023:1047
access.redhat.com/errata/RHSA-2023:1049
access.redhat.com/security/cve/CVE-2022-3916
bugzilla.redhat.com/show_bug.cgi?id=2141404
github.com/advisories/GHSA-97g8-xfvw-q4hg
github.com/stianst/keycloak/commit/f842837ad2740da36c60958ea6654b1ef3bc5431
github.com/stianst/keycloak/pull/7