Red Hat build of Keycloak 22.0.10 is an integrated solution, available as a Red Hat JBoss Middleware for OpenShift containerized image, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
Security Fix(es):
- Authorization Bypass (CVE-2023-6544)
- XSS via assertion consumer service URL in SAML POST-binding flow (CVE-2023-6717)
- path transversal in redirection validation (CVE-2024-1132)
- unvalidated cross-origin messages in checkLoginIframe leads to DDoS (CVE-2024-1249)
- path traversal in the redirect validation (CVE-2024-2419)
- secondary factor bypass in step-up authentication (CVE-2023-3597)
- impersonation via logout token exchange (CVE-2023-0657)
- session hijacking via re-authentication (CVE-2023-6787)
- keycloak-rhel9-operator-bundle-container: Log Injection during WebAuthn authentication or registration (CVE-2023-6484)
- keycloak-rhel9-operator-container: Log Injection during WebAuthn authentication or registration (CVE-2023-6484)
This erratum releases a bug update and enhancement images for Red Hat build of Keycloak 22.0.10 for use within the OpenShift Container Platform 4.12, 4.13, 4.14 and 4.15 cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments, aligning with the standalone product release.