Description
A flaw was found in all versions of Keycloak before 10.0.0, where the NodeJS adapter did not support the verify-token-audience. This flaw results in some users having access to sensitive information outside of their permissions.
Remediation
References
https://bugzilla.redhat.com/show_bug.cgi?id=1790759
Related Vulnerabilities
CVE-2020-36732 Vulnerability in npm package crypto-js
CVE-2020-2095 Vulnerability in maven package org.jenkins-ci.plugins:redgate-sql-ci
CVE-2020-1698 Vulnerability in maven package org.keycloak:keycloak-authz-client
CVE-2022-28220 Vulnerability in maven package org.apache.james.protocols:protocols-api
CVE-2023-32315 Vulnerability in maven package org.igniterealtime.openfire:xmppserver