CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS
Percentile
18.4%
org.keycloak:keycloak-services is vulnerable to Improper Certificate Validation. The flaw relies on enabling Revalidate Client Certificate
and not validating the reverse proxy before Keycloak. An attacker is able to choose the server-validated certificate, resulting in authentication bypass.