Lucene search

K

Veracode Vulnerability DatabaseVERACODE:46512

HistoryApr 18, 2024 - 10:19 a.m.

Authorization Bypass

2024-04-1810:19:01

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

16

keycloak

authorization bypass

regular expression

dynamic client registration

trusteddomain

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

AI Score

5.8

Confidence

Low

EPSS

0

Percentile

13.0%

keycloak is vulnerable to Authorization Bypass. The vulnerability is due to a hardcoded permissive regular expression which is used to filtering allowed hosts to register a dynamic client. A malicious user with enough information about the environment could jeopardize an environment with specific Dynamic Client Registration with TrustedDomain configuration previously unauthorized.

References

access.redhat.com/errata/RHSA-2024:1860

access.redhat.com/errata/RHSA-2024:1861

access.redhat.com/errata/RHSA-2024:1862

access.redhat.com/errata/RHSA-2024:1864

access.redhat.com/errata/RHSA-2024:1866

access.redhat.com/errata/RHSA-2024:1867

access.redhat.com/errata/RHSA-2024:1868

access.redhat.com/security/cve/CVE-2023-6544

bugzilla.redhat.com/show_bug.cgi?id=2253116

github.com/advisories/GHSA-46c8-635v-68r2

github.com/keycloak/keycloak/commit/9d9b57879c8f193b7693153780b591cd6002bd1b

github.com/keycloak/keycloak/commit/c6c0ee1d3b5a9be6680fd1e5303ab1804ce904eb

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

AI Score

5.8

Confidence

Low

EPSS

0

Percentile

13.0%

Related for VERACODE:46512

cve1 osv3 nvd1 redhatcve1 vulnrichment1 wolfi1 cvelist1 cgr1 github1 redhat7 nessus3