{"api_version":"1","generated_at":"2026-05-13T13:53:44+00:00","cve":"CVE-2017-12159","urls":{"html":"https://cve.report/CVE-2017-12159","api":"https://cve.report/api/cve/CVE-2017-12159.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2017-12159","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2017-12159"},"summary":{"title":"CVE-2017-12159","description":"It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks.","state":"PUBLISHED","assigner":"redhat","published_at":"2017-10-26 17:29:00","updated_at":"2025-04-20 01:37:25"},"problem_types":["CWE-613","CWE-613 CWE-613"],"metrics":[{"version":"3.0","source":"nvd@nist.gov","type":"Primary","score":"7.5","severity":"HIGH","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","data":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"2.0","source":"nvd@nist.gov","type":"Primary","score":"5","severity":"","vector":"AV:N/AC:L/Au:N/C:P/I:N/A:N","data":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:N/A:N","baseScore":5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE"}}],"references":[{"url":"http://www.securityfocus.com/bid/101601","name":"http://www.securityfocus.com/bid/101601","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory","VDB Entry"],"title":"Malformed Request","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2017:2905","name":"https://access.redhat.com/errata/RHSA-2017:2905","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1484111","name":"https://bugzilla.redhat.com/show_bug.cgi?id=1484111","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Issue Tracking","Third Party Advisory","VDB Entry"],"title":"1484111 – (CVE-2017-12159) CVE-2017-12159 keycloak: CSRF token fixation","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://access.redhat.com/errata/RHSA-2017:2904","name":"https://access.redhat.com/errata/RHSA-2017:2904","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://access.redhat.com/errata/RHSA-2017:2906","name":"https://access.redhat.com/errata/RHSA-2017:2906","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2017-12159","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-12159","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Red Hat, Inc.","product":"keycloak","version":"affected 3.4.0","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2017","cve_id":"12159","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"keycloak","cpe5":"keycloak","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12159","vulnerable":"0","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_server","cpe6":"6.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12159","vulnerable":"0","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_server","cpe6":"7.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12159","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"single_sign_on","cpe6":"7.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12159","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"single_sign_on","cpe6":"7.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2024-08-05T18:28:16.484Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1484111"},{"name":"RHSA-2017:2904","tags":["vendor-advisory","x_refsource_REDHAT","x_transferred"],"url":"https://access.redhat.com/errata/RHSA-2017:2904"},{"name":"RHSA-2017:2905","tags":["vendor-advisory","x_refsource_REDHAT","x_transferred"],"url":"https://access.redhat.com/errata/RHSA-2017:2905"},{"name":"RHSA-2017:2906","tags":["vendor-advisory","x_refsource_REDHAT","x_transferred"],"url":"https://access.redhat.com/errata/RHSA-2017:2906"},{"name":"101601","tags":["vdb-entry","x_refsource_BID","x_transferred"],"url":"http://www.securityfocus.com/bid/101601"}],"title":"CVE Program Container"}],"cna":{"affected":[{"product":"keycloak","vendor":"Red Hat, Inc.","versions":[{"status":"affected","version":"3.4.0"}]}],"datePublic":"2017-10-17T00:00:00.000Z","descriptions":[{"lang":"en","value":"It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks."}],"problemTypes":[{"descriptions":[{"cweId":"CWE-613","description":"CWE-613","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2017-10-28T09:57:01.000Z","orgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","shortName":"redhat"},"references":[{"tags":["x_refsource_CONFIRM"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1484111"},{"name":"RHSA-2017:2904","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2017:2904"},{"name":"RHSA-2017:2905","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2017:2905"},{"name":"RHSA-2017:2906","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2017:2906"},{"name":"101601","tags":["vdb-entry","x_refsource_BID"],"url":"http://www.securityfocus.com/bid/101601"}],"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"secalert@redhat.com","DATE_PUBLIC":"2017-10-17T00:00:00","ID":"CVE-2017-12159","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"keycloak","version":{"version_data":[{"version_value":"3.4.0"}]}}]},"vendor_name":"Red Hat, Inc."}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-613"}]}]},"references":{"reference_data":[{"name":"https://bugzilla.redhat.com/show_bug.cgi?id=1484111","refsource":"CONFIRM","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1484111"},{"name":"RHSA-2017:2904","refsource":"REDHAT","url":"https://access.redhat.com/errata/RHSA-2017:2904"},{"name":"RHSA-2017:2905","refsource":"REDHAT","url":"https://access.redhat.com/errata/RHSA-2017:2905"},{"name":"RHSA-2017:2906","refsource":"REDHAT","url":"https://access.redhat.com/errata/RHSA-2017:2906"},{"name":"101601","refsource":"BID","url":"http://www.securityfocus.com/bid/101601"}]}}}},"cveMetadata":{"assignerOrgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","assignerShortName":"redhat","cveId":"CVE-2017-12159","datePublished":"2017-10-26T17:00:00.000Z","dateReserved":"2017-08-01T00:00:00.000Z","dateUpdated":"2024-09-16T21:02:35.248Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"},"nvd":{"publishedDate":"2017-10-26 17:29:00","lastModifiedDate":"2025-04-20 01:37:25","problem_types":["CWE-613","CWE-613 CWE-613"],"metrics":{"cvssMetricV30":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:N/A:N","baseScore":5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE"},"baseSeverity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:redhat:single_sign_on:7.0:*:*:*:*:*:*:*","matchCriteriaId":"DF1B9058-6085-456E-B86B-59C5B6169768"},{"vulnerable":true,"criteria":"cpe:2.3:a:redhat:single_sign_on:7.1:*:*:*:*:*:*:*","matchCriteriaId":"11FE6021-DBE7-4FFD-B021-F97EF80BDEEA"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*","matchCriteriaId":"9BBCD86A-E6C7-4444-9D74-F861084090F0"},{"vulnerable":false,"criteria":"cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*","matchCriteriaId":"51EF4996-72F4-4FA4-814F-F5991E7A8318"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:keycloak:keycloak:-:*:*:*:*:*:*:*","matchCriteriaId":"571D4D3F-5768-4F93-9337-3D82B7E0C118"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2017","CveId":"12159","Ordinal":"1","Title":"CVE-2017-12159","CVE":"CVE-2017-12159","Year":"2017"},"notes":[{"CveYear":"2017","CveId":"12159","Ordinal":"1","NoteData":"It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks.","Type":"Description","Title":"CVE-2017-12159"},{"CveYear":"2017","CveId":"12159","Ordinal":"2","NoteData":"2017-10-26","Type":"Other","Title":"Published"},{"CveYear":"2017","CveId":"12159","Ordinal":"3","NoteData":"2017-10-28","Type":"Other","Title":"Modified"}]}}}