EPSS
Percentile
54.2%
Keycloak services has resuable refresh tokens. If an attacker using a pre-compromised system creates a refresh token pair, this token can be used indefinitely regardless of permission revocation.
access.redhat.com/errata/RHSA-2017:2904
access.redhat.com/errata/RHSA-2017:2905
access.redhat.com/errata/RHSA-2017:2906
bugzilla.redhat.com/show_bug.cgi?id=1484154
github.com/keycloak/keycloak/commit/fea4c54adc6a1fdafb725b89874c389d54b6d04a
issues.jboss.org/browse/KEYCLOAK-5280