CVE-2023-0264

2023-08-0418:15:11

CWE-287

[email protected]

web.nvd.nist.gov

112

cve-2023-0264

keycloak

openid connect

user authentication

flaw

information security

vulnerability

5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

4.5 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

28.3%

JSON

A flaw was found in Keycloaks OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session tokens. This issue could impact confidentiality, integrity, and availability.

Affected configurations

Vulners

NVD

Node

redhatkeycloakRange≤18.0.6

VendorProductVersionCPE
redhatkeycloak*cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
redhat	keycloak	*	cpe:2.3:a:redhat:keycloak::::::::

CNA Affected

[
  {
    "vendor": "redhat.com",
    "product": "Keycloak",
    "versions": [
      {
        "version": "18.0.6",
        "status": "affected",
        "lessThan": "18.0.6",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]