CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
AI Score
Confidence
Low
EPSS
Percentile
13.0%
keycloak is vulnerable to Authorization Bypass. The vulnerability is due to a hardcoded permissive regular expression which is used to filtering allowed hosts to register a dynamic client. A malicious user with enough information about the environment could jeopardize an environment with specific Dynamic Client Registration with TrustedDomain configuration previously unauthorized.
access.redhat.com/errata/RHSA-2024:1860
access.redhat.com/errata/RHSA-2024:1861
access.redhat.com/errata/RHSA-2024:1862
access.redhat.com/errata/RHSA-2024:1864
access.redhat.com/errata/RHSA-2024:1866
access.redhat.com/errata/RHSA-2024:1867
access.redhat.com/errata/RHSA-2024:1868
access.redhat.com/security/cve/CVE-2023-6544
bugzilla.redhat.com/show_bug.cgi?id=2253116
github.com/advisories/GHSA-46c8-635v-68r2
github.com/keycloak/keycloak/commit/9d9b57879c8f193b7693153780b591cd6002bd1b
github.com/keycloak/keycloak/commit/c6c0ee1d3b5a9be6680fd1e5303ab1804ce904eb