Описание
A flaw was found in Keycloak, where it does not correctly validate its client step-up authentication in org.keycloak.authentication. This flaw allows a remote user authenticated with a password to register a false second authentication factor along with an existing one and bypass authentication.
Отчет
Note that exploitation of this flaw requires several factors to be successful. The attacker must already have valid credentials within the system, without which there is no vulnerability, and the application must be configured to use the step-up flow, which is the only aspect of authentication bypassed by this flaw; the name and password restriction function as expected. Further, the impact effects of this flaw are limited to user-level and do not affect the system as a whole. For this reason, Red Hat Product Security has assessed this flaw to be Moderate security impact.
Дополнительная информация
Статус:
EPSS
5 Medium
CVSS3
Связанные уязвимости
A flaw was found in Keycloak, where it does not correctly validate its client step-up authentication in org.keycloak.authentication. This flaw allows a remote user authenticated with a password to register a false second authentication factor along with an existing one and bypass authentication.
A flaw was found in Keycloak, where it does not correctly validate its ...
Keycloak secondary factor bypass in step-up authentication
EPSS
5 Medium
CVSS3