Can you explain this vulnerability to me?

This vulnerability exists in Keycloak when the setting revokeRefreshToken=true is enabled and persistent session storage is used. If the server is restarted, internal timing mechanisms that track token revocation can be reset. As a result, a remote attacker who has previously captured a user's refresh token can replay that token even after it has been revoked.

This means the attacker can gain unauthorized access to the victim's account by using the replayed refresh token.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

The impact of this vulnerability is that an attacker can gain unauthorized access to a user's account by replaying a revoked refresh token after a server restart.

• Unauthorized access to user accounts.
• Potential information disclosure.
• Possible privilege escalation.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, ensure that the revokeRefreshToken setting is carefully managed and consider avoiding server restarts when persistent session storage is in use until a patch or fix is applied.

Additionally, monitor for updates or patches from Keycloak or your vendor and apply them promptly to address the issue.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows unauthorized access to user accounts by enabling replay of revoked refresh tokens after a server restart. Such unauthorized access can lead to information disclosure or privilege escalation.

Because of the potential for unauthorized access and information disclosure, this flaw could negatively impact compliance with data protection regulations such as GDPR and HIPAA, which require strict controls on access to personal and sensitive data.

Useful 0 Not Useful 0