Описание
A flaw was found in Keycloak. A remote attacker can exploit differential error messages during the identity-first login flow when Organizations are enabled. This vulnerability allows an attacker to determine the existence of users, leading to information disclosure through user enumeration.
Отчет
This flaw has a LOW impact. Keycloak is vulnerable to user enumeration due to differential error messages during the identity-first login flow. Exploitation requires Organizations to be enabled on the realm and the identity-first login flow to be active. This could lead to information disclosure by allowing an attacker to determine the existence of users.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Build of Keycloak | rhbk/keycloak-rhel9 | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
3.7 Low
CVSS3
Связанные уязвимости
A flaw was found in Keycloak. A remote attacker can exploit differential error messages during the identity-first login flow when Organizations are enabled. This vulnerability allows an attacker to determine the existence of users, leading to information disclosure through user enumeration.
A flaw was found in Keycloak. A remote attacker can exploit differenti ...
Keycloak's identity-first login flow exposes user information
EPSS
3.7 Low
CVSS3