Timing Attack Vulnerability in Red Hat Keycloak

CVE-2017-2585 · MEDIUM Severity

AV:N/AC:M/AU:N/C:P/I:N/A:N

Red Hat Keycloak before version 2.5.1 has an implementation of HMAC verification for JWS tokens that uses a method that runs in non-constant time, potentially leaving the application vulnerable to timing attacks.

Learn more about our Web Application Penetration Testing UK.