Oauth client impersonation
CVE-2023-2422
7.1HIGH
Key Information:
- Vendor
Red Hat
- Status
- Vendor
- CVE Published:
- 4 October 2023
What is CVE-2023-2422?
A flaw in Keycloak's implementation of mTLS authentication for OAuth/OpenID clients allows clients with valid certificates to bypass proper verification of the client certificate chain. This vulnerability could enable a malicious client to impersonate other clients, potentially leading to unauthorized access to sensitive data. Organizations using Keycloak for identity and access management need to review their configurations to ensure robust security against this exploit.
Affected Version(s)
keycloak 18.0
Red Hat Single Sign-On 7.6 for RHEL 7 0:18.0.8-1.redhat_00001.1.el7sso
Red Hat Single Sign-On 7.6 for RHEL 8 0:18.0.8-1.redhat_00001.1.el8sso