Plaintext storage of user password
CVE-2023-4918

8.8HIGH

Key Information:

Vendor
Red Hat
Vendor
CVE Published:
12 September 2023

Summary

A vulnerability exists in the Keycloak package, specifically within the user profile module, allowing user passwords to be exposed. During the registration process, the 'password' and 'password-confirm' fields are treated as standard user attributes. This flaw permits all users and clients with the appropriate roles to access this sensitive information, enabling unauthorized users to view passwords in clear text and undermining the security of the affected environment.

Affected Version(s)

keycloak 22.0.3

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Upstream acknowledges Niko Köbler as the original reporter.
.