Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2023-1664

Опубликовано: 26 мая 2023
Источник: nvd
CVSS3: 6.5
EPSS Низкий

Описание

A flaw was found in Keycloak. This flaw depends on a non-default configuration "Revalidate Client Certificate" to be enabled and the reverse proxy is not validating the certificate before Keycloak. Using this method an attacker may choose the certificate which will be validated by the server. If this happens and the KC_SPI_TRUSTSTORE_FILE_FILE variable is missing/misconfigured, any trustfile may be accepted with the logging information of "Cannot validate client certificate trust: Truststore not available". This may not impact availability as the attacker would have no access to the server, but consumer applications Integrity or Confidentiality may be impacted considering a possible access to them. Considering the environment is correctly set to use "Revalidate Client Certificate" this flaw is avoidable.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:redhat:build_of_quarkus:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_a-mq:7:*:*:*:*:*:*:*
cpe:2.3:a:redhat:keycloak:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:migration_toolkit_for_runtimes:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*

EPSS

Процентиль: 47%
0.00238
Низкий

6.5 Medium

CVSS3

Дефекты

CWE-295
CWE-295

Связанные уязвимости

redhat логотип

CVE-2023-1664

CVSS3: 6.5
redhat
почти 3 года назад

A flaw was found in Keycloak. This flaw depends on a non-default configuration "Revalidate Client Certificate" to be enabled and the reverse proxy is not validating the certificate before Keycloak. Using this method an attacker may choose the certificate which will be validated by the server. If this happens and the KC_SPI_TRUSTSTORE_FILE_FILE variable is missing/misconfigured, any trustfile may be accepted with the logging information of "Cannot validate client certificate trust: Truststore not available". This may not impact availability as the attacker would have no access to the server, but consumer applications Integrity or Confidentiality may be impacted considering a possible access to them. Considering the environment is correctly set to use "Revalidate Client Certificate" this flaw is avoidable.

debian логотип

CVE-2023-1664

CVSS3: 6.5
debian
больше 2 лет назад

A flaw was found in Keycloak. This flaw depends on a non-default confi ...

github логотип

GHSA-5cc8-pgp5-7mpm

CVSS3: 6.5
github
больше 2 лет назад

Keycloak Untrusted Certificate Validation vulnerability

fstec логотип

BDU:2023-05659

CVSS3: 6.5
fstec
больше 2 лет назад

Уязвимость программного средства для управления идентификацией и доступом Keycloak, связанная с ошибками процедуры подтверждения подлинности сертификата, позволяющая нарушителю оказать воздействие на конфиденциальность и целостность защищаемой информации

EPSS

Процентиль: 47%
0.00238
Низкий

6.5 Medium

CVSS3

Дефекты

CWE-295
CWE-295