Keycloak Authentication Bypass Vulnerability
CVE-2023-3597

5MEDIUM

Key Information:

Vendor
Red Hat
Status
Red Hat Build Of Keycloak 22
Red Hat Build Of Keycloak 22.0.10
Rhsso 7.6.8
Vendor
CVE Published:
25 April 2024

Summary

A security flaw exists in Keycloak, where the system fails to accurately validate client step-up authentication processes. This creates a potential risk whereby an authenticated remote user can register a fraudulent second authentication factor alongside an existing one. Utilizing this vulnerability, attackers could bypass the intended security measures, allowing them unauthorized access to sensitive resources. Proper validation mechanisms are crucial to ensure that the authentication process functions as intended, safeguarding against unauthorized actions.

References

https://access.redhat.com/errata/RHSA-2024:1866
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:1867
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:1868
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database

Credit

Red Hat would like to thank Johannes Bergmann (Bosch) for reporting this issue.
.