Описание
A vulnerability was found in keycloak 7.x, when keycloak is configured with LDAP user federation and StartTLS is used instead of SSL/TLS from the LDAP server (ldaps), in this case user authentication succeeds even if invalid password has entered.
A flaw was found in keycloak 7.x where an invalid password is accepted for user authentication when LDAP user federation and STARTTLS is used instead of SSL/TLS from the LDAP server. This can allow an attacker to log into a system using any entry for a password authentication and still gain access to the system.
Отчет
This flaw does not affect Red Hat's Single Sign On (RHSSO) product and, thus, no patch will be forthcoming.
Меры по смягчению последствий
Disabling STARTTLS will fix the authentication flaw but leave the connection to the LDAP server unencrypted. Utilizing LDAPS will add a layer of encryption back to the LDAP connection but only at the SSLv3 level which also poses problems in and of itself.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Single Sign-On 7 | rh-sso7-keycloak | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
9.3 Critical
CVSS3
Связанные уязвимости
A vulnerability was found in keycloak 7.x, when keycloak is configured with LDAP user federation and StartTLS is used instead of SSL/TLS from the LDAP server (ldaps), in this case user authentication succeeds even if invalid password has entered.
A vulnerability was found in keycloak 7.x, when keycloak is configured ...
Уязвимость компонента STARTTLS программного средства для управления идентификацией и доступом Keycloak, связанная с ошибками реализации процедуры аутентификации, позволяющая нарушителю повысить свои привилегии
EPSS
9.3 Critical
CVSS3