Keycloak Authentication Bypass Vulnerability
CVE-2023-3597
5MEDIUM
Key Information
- Vendor
- Red Hat
- Status
- Red Hat Build Of Keycloak 22
- Red Hat Build Of Keycloak 22.0.10
- Rhsso 7.6.8
- Vendor
- CVE Published:
- 25 April 2024
Summary
A flaw was found in Keycloak, where it does not correctly validate its client step-up authentication in org.keycloak.authentication. This flaw allows a remote user authenticated with a password to register a false second authentication factor along with an existing one and bypass authentication.
Affected Version(s)
Red Hat build of Keycloak 22 <= 22.0.10-1
Red Hat build of Keycloak 22 <= 22-13
Red Hat build of Keycloak 22 <= 22-16
CVSS V3.1
Score:
5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Risk change from: null to: 5 - (MEDIUM)
Vulnerability published.
Vulnerability Reserved.
Reported to Red Hat.
Collectors
NVD DatabaseMitre Database
Credit
Red Hat would like to thank Johannes Bergmann (Bosch) for reporting this issue.