Red Hat Keycloak before version 2.5.1 has an implementation of HMAC verification for JWS tokens that uses a method that runs in non-constant time, potentially leaving the application vulnerable to timing attacks.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
redhat keycloak |
||
redhat single sign on 7.1 |
||
redhat single sign on 7.2 |