Описание
Keycloak has lack of validation of access token on client registrations endpoint
When a service account with the create-client or manage-clients role can use the client-registration endpoints to create/manage clients with an access token.
If the access token is leaked, there is an option to revoke the specific token. However, the check is not performed in client-registration endpoints.
Пакеты
org.keycloak:keycloak-core
<= 20.0.2
20.0.3
Связанные уязвимости
A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information.
A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information.
A flaw was found in Keycloak, where it did not properly check client t ...