Описание
A vulnerability was found in keycloak 7.x, when keycloak is configured with LDAP user federation and StartTLS is used instead of SSL/TLS from the LDAP server (ldaps), in this case user authentication succeeds even if invalid password has entered.
Ссылки
- Issue TrackingMitigationVendor Advisory
- Issue TrackingMitigationVendor Advisory
Уязвимые конфигурации
Одно из
EPSS
9.3 Critical
CVSS3
9.8 Critical
CVSS3
7.5 High
CVSS2
Дефекты
Связанные уязвимости
A vulnerability was found in keycloak 7.x, when keycloak is configured with LDAP user federation and StartTLS is used instead of SSL/TLS from the LDAP server (ldaps), in this case user authentication succeeds even if invalid password has entered.
A vulnerability was found in keycloak 7.x, when keycloak is configured ...
Уязвимость компонента STARTTLS программного средства для управления идентификацией и доступом Keycloak, связанная с ошибками реализации процедуры аутентификации, позволяющая нарушителю повысить свои привилегии
EPSS
9.3 Critical
CVSS3
9.8 Critical
CVSS3
7.5 High
CVSS2