Description
Red Hat Keycloak before version 2.5.1 has an implementation of HMAC verification for JWS tokens that uses a method that runs in non-constant time, potentially leaving the application vulnerable to timing attacks.
Remediation
References
http://rhn.redhat.com/errata/RHSA-2017-0876.html
http://www.securityfocus.com/bid/97393
http://www.securitytracker.com/id/1038180
https://access.redhat.com/errata/RHSA-2017:0872
https://access.redhat.com/errata/RHSA-2017:0873
https://bugzilla.redhat.com/show_bug.cgi?id=1412376
Related Vulnerabilities
CVE-2020-1725 Vulnerability in maven package org.keycloak:keycloak-core
CVE-2020-5411 Vulnerability in maven package org.springframework.batch:spring-batch-core
CVE-2021-26707 Vulnerability in maven package org.webjars.npm:merge-deep
CVE-2022-26885 Vulnerability in maven package org.apache.dolphinscheduler:dolphinscheduler-server