Lucene search

K
redhatRedHatRHSA-2024:1868
HistoryApr 16, 2024 - 8:24 p.m.

(RHSA-2024:1868) Important: Red Hat build of Keycloak security update

2024-04-1620:24:16
access.redhat.com
19
red hat
keycloak
security update
authentication
single sign-on

6.6 Medium

AI Score

Confidence

Low

0.0005 Low

EPSS

Percentile

17.1%

Red Hat build of Keycloak 22.0.10 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.

Security Fix(es):

  • path transversal in redirection validation (CVE-2024-1132)

  • org.keycloak.protocol.oidc: unvalidated cross-origin messages in checkLoginIframe leads to DDoS (CVE-2024-1249)

  • secondary factor bypass in step-up authentication (CVE-2023-3597)

  • Authorization Bypass (CVE-2023-6544)

  • XSS via assertion consumer service URL in SAML POST-binding flow (CVE-2023-6717)

  • session hijacking via re-authentication (CVE-2023-6787)

  • impersonation via logout token exchange (CVE-2023-0657)

  • Log Injection during WebAuthn authentication or registration (CVE-2023-6484)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

6.6 Medium

AI Score

Confidence

Low

0.0005 Low

EPSS

Percentile

17.1%