CVE-2022-3916 - Vulnerability Details

- Keycloak: session takeover with oidc offline refreshtokens

Description

A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user.

Published: 2023-09-20

Score: 6.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Red Hat Red Hat Single Sign-On 7 unaffected —

Red Hat Red Hat Single Sign-On 7.6.1 unaffected —

Red Hat

Red Hat Single Sign-On 7.6 for RHEL 7

affected

Version	Status	Constraints
`0:18.0.3-1.redhat_00002.1.el7sso`	unaffected	< *

Red Hat

Red Hat Single Sign-On 7.6 for RHEL 7

affected

Version	Status	Constraints
`0:18.0.6-1.redhat_00001.1.el7sso`	unaffected	< *

Red Hat

Red Hat Single Sign-On 7.6 for RHEL 8

affected

Version	Status	Constraints
`0:18.0.3-1.redhat_00002.1.el8sso`	unaffected	< *

Red Hat

Red Hat Single Sign-On 7.6 for RHEL 8

affected

Version	Status	Constraints
`0:18.0.6-1.redhat_00001.1.el8sso`	unaffected	< *

Red Hat

Red Hat Single Sign-On 7.6 for RHEL 9

affected

Version	Status	Constraints
`0:18.0.3-1.redhat_00002.1.el9sso`	unaffected	< *

Red Hat

Red Hat Single Sign-On 7.6 for RHEL 9

affected

Version	Status	Constraints
`0:18.0.6-1.redhat_00001.1.el9sso`	unaffected	< *

Red Hat

RHEL-8 based Middleware Containers

affected

Version	Status	Constraints
`7.6-15`	unaffected	< *

Red Hat

RHEL-8 based Middleware Containers

affected

Version	Status	Constraints
`7.6-20`	unaffected	< *

Configuration 1 [-]

OR	cpe:2.3:a:redhat:keycloak::::::::
	cpe:2.3:a:redhat:single_sign-on:-::::text-only:::

Configuration 2 [-]

AND

cpe:2.3:a:redhat:single_sign-on:7.6:*:*:*:*:*:*:*

OR	cpe:2.3:o:redhat:enterprise_linux:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:9.0:::::::*

Configuration 3 [-]

AND

OR	cpe:2.3:a:redhat:openshift_container_platform:4.9:::::::*
	cpe:2.3:a:redhat:openshift_container_platform:4.10:::::::*
	cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.9:::::::*
	cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.10:::::::*
	cpe:2.3:a:redhat:openshift_container_platform_for_power:4.9:::::::*
	cpe:2.3:a:redhat:openshift_container_platform_for_power:4.10:::::::*
	cpe:2.3:a:redhat:openshift_container_platform_ibm_z_systems:4.9:::::::*
	cpe:2.3:a:redhat:openshift_container_platform_ibm_z_systems:4.10:::::::*

cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat Single Sign-On 7
keycloak	cpe:/a:redhat:red_hat_single_sign_on:7.6	RHSA-2023:1049	2023-03-01T00:00:00Z
Red Hat Single Sign-On 7.6.1
keycloak	cpe:/a:redhat:red_hat_single_sign_on:7.6.1	RHSA-2022:8965	2022-12-13T00:00:00Z
Red Hat Single Sign-On 7.6 for RHEL 7
rh-sso7-keycloak-0:18.0.3-1.redhat_00002.1.el7sso	cpe:/a:redhat:red_hat_single_sign_on:7.6::el7	RHSA-2022:8961	2022-12-13T00:00:00Z
rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso	cpe:/a:redhat:red_hat_single_sign_on:7.6::el7	RHSA-2023:1043	2023-03-01T00:00:00Z
Red Hat Single Sign-On 7.6 for RHEL 8
rh-sso7-keycloak-0:18.0.3-1.redhat_00002.1.el8sso	cpe:/a:redhat:red_hat_single_sign_on:7.6::el8	RHSA-2022:8962	2022-12-13T00:00:00Z
rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso	cpe:/a:redhat:red_hat_single_sign_on:7.6::el8	RHSA-2023:1044	2023-03-01T00:00:00Z
Red Hat Single Sign-On 7.6 for RHEL 9
rh-sso7-keycloak-0:18.0.3-1.redhat_00002.1.el9sso	cpe:/a:redhat:red_hat_single_sign_on:7.6::el9	RHSA-2022:8963	2022-12-13T00:00:00Z
rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso	cpe:/a:redhat:red_hat_single_sign_on:7.6::el9	RHSA-2023:1045	2023-03-01T00:00:00Z
RHEL-8 based Middleware Containers
rh-sso-7/sso76-openshift-rhel8:7.6-15	cpe:/a:redhat:rhosemc:1.0::el8	RHSA-2022:8964	2022-12-13T00:00:00Z
rh-sso-7/sso76-openshift-rhel8:7.6-20	cpe:/a:redhat:rhosemc:1.0::el8	RHSA-2023:1047	2023-03-01T00:00:00Z

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2022-7575	A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user.
Github GHSA	GHSA-97g8-xfvw-q4hg	Keycloak vulnerable to session takeover with OIDC offline refreshtokens

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00226.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://access.redhat.com/errata/RHSA-2022:8961
https://access.redhat.com/errata/RHSA-2022:8962
https://access.redhat.com/errata/RHSA-2022:8963
https://access.redhat.com/errata/RHSA-2022:8964
https://access.redhat.com/errata/RHSA-2022:8965
https://access.redhat.com/errata/RHSA-2023:1043
https://access.redhat.com/errata/RHSA-2023:1044
https://access.redhat.com/errata/RHSA-2023:1045
https://access.redhat.com/errata/RHSA-2023:1047
https://access.redhat.com/errata/RHSA-2023:1049
https://access.redhat.com/security/cve/CVE-2022-3916
https://bugzilla.redhat.com/show_bug.cgi?id=2141404
https://nvd.nist.gov/vuln/detail/CVE-2022-3916
https://www.cve.org/CVERecord?id=CVE-2022-3916

History

Wed, 25 Feb 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Subscriptions

Redhat Enterprise Linux Keycloak Openshift Container Platform Openshift Container Platform For Linuxone Openshift Container Platform For Power Openshift Container Platform Ibm Z Systems Red Hat Single Sign On Rhosemc Single Sign-on

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2023-09-20T14:28:52.089Z

Updated: 2024-08-03T01:20:58.791Z

Reserved: 2022-11-09T16:12:41.804Z

Link: CVE-2022-3916

Vulnrichment

Updated: 2024-08-03T01:20:58.791Z

NVD

Status : Modified

Published: 2023-09-20T15:15:11.583

Modified: 2024-11-21T07:20:31.480

Link: CVE-2022-3916

Redhat

Severity : Moderate

Publid Date: 2022-11-09T00:00:00Z

Links: CVE-2022-3916 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object