Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-azxv-y5rj-vkg9
Summary
Insufficient Session Expiration
A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user.
Aliases
0
alias CVE-2022-3916
1
alias GHSA-97g8-xfvw-q4hg
2
alias GMS-2022-8406
Fixed_packages
0
url pkg:maven/org.keycloak/keycloak-core@20.0.2
purl pkg:maven/org.keycloak/keycloak-core@20.0.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-crj8-4jaa-yyes
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@20.0.2
1
url pkg:maven/org.keycloak/keycloak-model-infinispan@20.0.2
purl pkg:maven/org.keycloak/keycloak-model-infinispan@20.0.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-model-infinispan@20.0.2
2
url pkg:maven/org.keycloak/keycloak-model-jpa@20.0.2
purl pkg:maven/org.keycloak/keycloak-model-jpa@20.0.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-model-jpa@20.0.2
3
url pkg:maven/org.keycloak/keycloak-parent@20.0.2
purl pkg:maven/org.keycloak/keycloak-parent@20.0.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-parent@20.0.2
4
url pkg:maven/org.keycloak/keycloak-saml-core-public@20.0.2
purl pkg:maven/org.keycloak/keycloak-saml-core-public@20.0.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-saml-core-public@20.0.2
5
url pkg:maven/org.keycloak/keycloak-server-spi-private@20.0.2
purl pkg:maven/org.keycloak/keycloak-server-spi-private@20.0.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-server-spi-private@20.0.2
6
url pkg:maven/org.keycloak/keycloak-services@20.0.2
purl pkg:maven/org.keycloak/keycloak-services@20.0.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@20.0.2
7
url pkg:npm/keycloak-connect@20.0.2
purl pkg:npm/keycloak-connect@20.0.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/keycloak-connect@20.0.2
Affected_packages
0
url pkg:rpm/redhat/rh-sso7-keycloak@18.0.3-1.redhat_00002.1?arch=el7sso
purl pkg:rpm/redhat/rh-sso7-keycloak@18.0.3-1.redhat_00002.1?arch=el7sso
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-48jh-8c96-3bc9
1
vulnerability VCID-azxv-y5rj-vkg9
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/rh-sso7-keycloak@18.0.3-1.redhat_00002.1%3Farch=el7sso
1
url pkg:rpm/redhat/rh-sso7-keycloak@18.0.3-1.redhat_00002.1?arch=el9sso
purl pkg:rpm/redhat/rh-sso7-keycloak@18.0.3-1.redhat_00002.1?arch=el9sso
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-48jh-8c96-3bc9
1
vulnerability VCID-azxv-y5rj-vkg9
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/rh-sso7-keycloak@18.0.3-1.redhat_00002.1%3Farch=el9sso
2
url pkg:rpm/redhat/rh-sso7-keycloak@18.0.3-1.redhat_00002.1?arch=el8sso
purl pkg:rpm/redhat/rh-sso7-keycloak@18.0.3-1.redhat_00002.1?arch=el8sso
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-48jh-8c96-3bc9
1
vulnerability VCID-azxv-y5rj-vkg9
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/rh-sso7-keycloak@18.0.3-1.redhat_00002.1%3Farch=el8sso
3
url pkg:rpm/redhat/rh-sso7-keycloak@18.0.6-1.redhat_00001.1?arch=el8sso
purl pkg:rpm/redhat/rh-sso7-keycloak@18.0.6-1.redhat_00001.1?arch=el8sso
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1cnf-6har-m7fy
1
vulnerability VCID-2rh6-y288-6kcn
2
vulnerability VCID-2wbr-v8ma-dkec
3
vulnerability VCID-5r6b-8ze2-ruhw
4
vulnerability VCID-6cjv-e7t7-23ht
5
vulnerability VCID-84eq-cq89-9qhm
6
vulnerability VCID-8n99-buv5-wkes
7
vulnerability VCID-az78-umjq-z3bc
8
vulnerability VCID-azxv-y5rj-vkg9
9
vulnerability VCID-b7wt-ds9h-9bcu
10
vulnerability VCID-ch1b-adh9-skah
11
vulnerability VCID-crj8-4jaa-yyes
12
vulnerability VCID-e5va-tex4-5yea
13
vulnerability VCID-f1ga-jtnt-2ke8
14
vulnerability VCID-jed8-4cv5-6bcr
15
vulnerability VCID-mev9-tsyk-2ubf
16
vulnerability VCID-nbdw-rgrx-bkeb
17
vulnerability VCID-nk6k-cbjb-bybe
18
vulnerability VCID-r94a-3fq2-efdg
19
vulnerability VCID-swy1-8ztq-5qgn
20
vulnerability VCID-ugpk-g4qu-x3b5
21
vulnerability VCID-uumb-j4ue-fbfe
22
vulnerability VCID-v3z6-4r9w-8yd1
23
vulnerability VCID-vjrr-h9sh-3bcu
24
vulnerability VCID-vsty-6vqf-pkeg
25
vulnerability VCID-w1c4-c4xs-yba4
26
vulnerability VCID-wezb-6dbp-nfer
27
vulnerability VCID-y7gj-gcwm-8fde
28
vulnerability VCID-ysqs-hnzr-tyd6
29
vulnerability VCID-yxeb-fq26-bfh1
30
vulnerability VCID-yywj-jh4h-qbhw
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/rh-sso7-keycloak@18.0.6-1.redhat_00001.1%3Farch=el8sso
4
url pkg:rpm/redhat/rh-sso7-keycloak@18.0.6-1.redhat_00001.1?arch=el9sso
purl pkg:rpm/redhat/rh-sso7-keycloak@18.0.6-1.redhat_00001.1?arch=el9sso
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1cnf-6har-m7fy
1
vulnerability VCID-2rh6-y288-6kcn
2
vulnerability VCID-2wbr-v8ma-dkec
3
vulnerability VCID-5r6b-8ze2-ruhw
4
vulnerability VCID-6cjv-e7t7-23ht
5
vulnerability VCID-84eq-cq89-9qhm
6
vulnerability VCID-8n99-buv5-wkes
7
vulnerability VCID-az78-umjq-z3bc
8
vulnerability VCID-azxv-y5rj-vkg9
9
vulnerability VCID-b7wt-ds9h-9bcu
10
vulnerability VCID-ch1b-adh9-skah
11
vulnerability VCID-crj8-4jaa-yyes
12
vulnerability VCID-e5va-tex4-5yea
13
vulnerability VCID-f1ga-jtnt-2ke8
14
vulnerability VCID-jed8-4cv5-6bcr
15
vulnerability VCID-mev9-tsyk-2ubf
16
vulnerability VCID-nbdw-rgrx-bkeb
17
vulnerability VCID-nk6k-cbjb-bybe
18
vulnerability VCID-r94a-3fq2-efdg
19
vulnerability VCID-swy1-8ztq-5qgn
20
vulnerability VCID-ugpk-g4qu-x3b5
21
vulnerability VCID-uumb-j4ue-fbfe
22
vulnerability VCID-v3z6-4r9w-8yd1
23
vulnerability VCID-vjrr-h9sh-3bcu
24
vulnerability VCID-vsty-6vqf-pkeg
25
vulnerability VCID-w1c4-c4xs-yba4
26
vulnerability VCID-wezb-6dbp-nfer
27
vulnerability VCID-y7gj-gcwm-8fde
28
vulnerability VCID-ysqs-hnzr-tyd6
29
vulnerability VCID-yxeb-fq26-bfh1
30
vulnerability VCID-yywj-jh4h-qbhw
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/rh-sso7-keycloak@18.0.6-1.redhat_00001.1%3Farch=el9sso
5
url pkg:rpm/redhat/rh-sso7-keycloak@18.0.6-1.redhat_00001.1?arch=el7sso
purl pkg:rpm/redhat/rh-sso7-keycloak@18.0.6-1.redhat_00001.1?arch=el7sso
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1cnf-6har-m7fy
1
vulnerability VCID-2rh6-y288-6kcn
2
vulnerability VCID-2wbr-v8ma-dkec
3
vulnerability VCID-5r6b-8ze2-ruhw
4
vulnerability VCID-6cjv-e7t7-23ht
5
vulnerability VCID-84eq-cq89-9qhm
6
vulnerability VCID-8n99-buv5-wkes
7
vulnerability VCID-az78-umjq-z3bc
8
vulnerability VCID-azxv-y5rj-vkg9
9
vulnerability VCID-b7wt-ds9h-9bcu
10
vulnerability VCID-ch1b-adh9-skah
11
vulnerability VCID-crj8-4jaa-yyes
12
vulnerability VCID-e5va-tex4-5yea
13
vulnerability VCID-f1ga-jtnt-2ke8
14
vulnerability VCID-jed8-4cv5-6bcr
15
vulnerability VCID-mev9-tsyk-2ubf
16
vulnerability VCID-nbdw-rgrx-bkeb
17
vulnerability VCID-nk6k-cbjb-bybe
18
vulnerability VCID-r94a-3fq2-efdg
19
vulnerability VCID-swy1-8ztq-5qgn
20
vulnerability VCID-ugpk-g4qu-x3b5
21
vulnerability VCID-uumb-j4ue-fbfe
22
vulnerability VCID-v3z6-4r9w-8yd1
23
vulnerability VCID-vjrr-h9sh-3bcu
24
vulnerability VCID-vsty-6vqf-pkeg
25
vulnerability VCID-w1c4-c4xs-yba4
26
vulnerability VCID-wezb-6dbp-nfer
27
vulnerability VCID-y7gj-gcwm-8fde
28
vulnerability VCID-ysqs-hnzr-tyd6
29
vulnerability VCID-yxeb-fq26-bfh1
30
vulnerability VCID-yywj-jh4h-qbhw
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/rh-sso7-keycloak@18.0.6-1.redhat_00001.1%3Farch=el7sso
References
0
reference_url https://access.redhat.com/errata/RHSA-2022:8961
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2022:8961
1
reference_url https://access.redhat.com/errata/RHSA-2022:8962
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2022:8962
2
reference_url https://access.redhat.com/errata/RHSA-2022:8963
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2022:8963
3
reference_url https://access.redhat.com/errata/RHSA-2022:8964
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2022:8964
4
reference_url https://access.redhat.com/errata/RHSA-2022:8965
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2022:8965
5
reference_url https://access.redhat.com/errata/RHSA-2023:1043
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2023:1043
6
reference_url https://access.redhat.com/errata/RHSA-2023:1044
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2023:1044
7
reference_url https://access.redhat.com/errata/RHSA-2023:1045
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2023:1045
8
reference_url https://access.redhat.com/errata/RHSA-2023:1047
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2023:1047
9
reference_url https://access.redhat.com/errata/RHSA-2023:1049
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2023:1049
10
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-3916.json
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-3916.json
11
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-3916
reference_id
reference_type
scores
0
value 0.00226
scoring_system epss
scoring_elements 0.4547
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-3916
12
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2141404
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://bugzilla.redhat.com/show_bug.cgi?id=2141404
13
reference_url https://github.com/keycloak/keycloak
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/keycloak/keycloak
14
reference_url https://access.redhat.com/security/cve/CVE-2022-3916
reference_id CVE-2022-3916
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/security/cve/CVE-2022-3916
15
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-3916
reference_id CVE-2022-3916
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-3916
16
reference_url https://github.com/advisories/GHSA-97g8-xfvw-q4hg
reference_id GHSA-97g8-xfvw-q4hg
reference_type
scores
url https://github.com/advisories/GHSA-97g8-xfvw-q4hg
17
reference_url https://github.com/keycloak/keycloak/security/advisories/GHSA-97g8-xfvw-q4hg
reference_id GHSA-97g8-xfvw-q4hg
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/keycloak/keycloak/security/advisories/GHSA-97g8-xfvw-q4hg
Weaknesses
0
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
1
cwe_id 613
name Insufficient Session Expiration
description According to WASC, Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.
2
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
3
cwe_id 384
name Session Fixation
description Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
4
cwe_id 287
name Improper Authentication
description When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
5
cwe_id 304
name Missing Critical Step in Authentication
description The product implements an authentication technique, but it skips a step that weakens the technique.
6
cwe_id 488
name Exposure of Data Element to Wrong Session
description The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session.
Exploits
Severity_range_score4.0 - 6.9
Exploitability0.5
Weighted_severity6.2
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-azxv-y5rj-vkg9