Keycloak Authentication Bypass Vulnerability

CVE-2023-3597

5MEDIUM

Key Information

Vendor: Red Hat
Status: Red Hat Build Of Keycloak 22; Red Hat Build Of Keycloak 22.0.10; Rhsso 7.6.8
Vendor: CVE Published:; 25 April 2024

Summary

A flaw was found in Keycloak, where it does not correctly validate its client step-up authentication in org.keycloak.authentication. This flaw allows a remote user authenticated with a password to register a false second authentication factor along with an existing one and bypass authentication.

Affected Version(s)

Red Hat build of Keycloak 22 <= 22.0.10-1

Red Hat build of Keycloak 22 <= 22-13

Red Hat build of Keycloak 22 <= 22-16

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Risk change from: null to: 5 - (MEDIUM)
Apr 25, 2024
Vulnerability published.
Apr 25, 2024
Vulnerability Reserved.
Jul 10, 2023
Reported to Red Hat.
Jul 10, 2023

Collectors

NVD DatabaseMitre Database

Credit

Red Hat would like to thank Johannes Bergmann (Bosch) for reporting this issue.