GitHub Advisory DatabaseGHSA-46C8-635V-68R2Keycloak Authorization Bypass vulnerability
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
6.7 Medium
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
13.2%
Due to a permissive regular expression hardcoded for filtering allowed hosts to register a dynamic client, a malicious user with enough information about the environment could benefit and jeopardize an environment with this specific Dynamic Client Registration with TrustedDomain configuration previously unauthorized.
Acknowledgements:
Special thanks to Bastian Kanbach for reporting this issue and helping us improve our security.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| org.keycloak:keycloak-services | ge | 23.0.0 | |
| org.keycloak:keycloak-services | lt | 24.0.3 | |
| org.keycloak:keycloak-services | lt | 22.0.10 |
References
access.redhat.com/errata/RHSA-2024:1860
access.redhat.com/errata/RHSA-2024:1861
access.redhat.com/errata/RHSA-2024:1862
access.redhat.com/errata/RHSA-2024:1864
access.redhat.com/errata/RHSA-2024:1866
access.redhat.com/errata/RHSA-2024:1867
access.redhat.com/errata/RHSA-2024:1868
access.redhat.com/security/cve/CVE-2023-6544
bugzilla.redhat.com/show_bug.cgi?id=2253116
github.com/advisories/GHSA-46c8-635v-68r2
github.com/keycloak/keycloak/security/advisories/GHSA-46c8-635v-68r2
nvd.nist.gov/vuln/detail/CVE-2023-6544
Related
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
6.7 Medium
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
13.2%