CVE-2017-2585

Name: CVE-2017-2585
Creator: NVD / NIST
Published: 2018-03-12T15:29:00.397+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 2.05%

Last modified Jun 17, 2026

CVE-2017-2585 is a vulnerability of currently unknown severity. Red Hat Keycloak before version 2.5.1 has an implementation of HMAC verification for JWS tokens that uses a method that runs in non-constant time, potentially leaving the application vulnerable to timing attacks.. EPSS estimates a 2.05% chance of exploitation in the next 30 days.

Description

Red Hat Keycloak before version 2.5.1 has an implementation of HMAC verification for JWS tokens that uses a method that runs in non-constant time, potentially leaving the application vulnerable to timing attacks.

Metrics

EPSS Probability

2.05%

78.8th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-200

Affected Software

Vendor	Product	Versions
Redhat	Keycloak	< 2.5.1
Redhat	Single Sign On	7.1
Redhat	Single Sign On	7.2

References

http://rhn.redhat.com/errata/RHSA-2017-0876.htmlVendor Advisory
http://www.securityfocus.com/bid/97393Third Party Advisory, VDB Entry
http://www.securitytracker.com/id/1038180Third Party Advisory, VDB Entry
https://access.redhat.com/errata/RHSA-2017:0872Vendor Advisory
https://access.redhat.com/errata/RHSA-2017:0873Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1412376Issue Tracking
http://rhn.redhat.com/errata/RHSA-2017-0876.htmlVendor Advisory
http://www.securityfocus.com/bid/97393Third Party Advisory, VDB Entry
http://www.securitytracker.com/id/1038180Third Party Advisory, VDB Entry
https://access.redhat.com/errata/RHSA-2017:0872Vendor Advisory
https://access.redhat.com/errata/RHSA-2017:0873Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1412376Issue Tracking

Timeline

Published: Mar 12, 2018
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2017-2585?

How severe is CVE-2017-2585?

Severity scoring for CVE-2017-2585 is pending analysis. The EPSS model estimates a 2.05% probability of exploitation in the next 30 days.

How do I fix CVE-2017-2585?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2017-2585?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST