#VU72725 Authentication bypass using an alternate path or channel in Keycloak - CVE-2023-0264

Cybersecurity Help s.r.o.

Published: 2023-03-02 | Updated: 2024-05-31

Vulnerability identifier: #VU72725

Vulnerability risk: Medium

CVSSv4.0: 2.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2023-0264

CWE-ID: CWE-288

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
Keycloak
Server applications / Directory software, identity management

Vendor: Keycloak

Description

The vulnerability allows a remote user to impersonate application users.

The vulnerability exists due to an error when handling authentication requests in the OpenID Connect user authentication. A remote authenticated user who can obtain a certain piece of info from a victim's user request from the same realm can use that data to impersonate the victim and generate new session tokens.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Keycloak: 20.0.3 - 21.0.0

External links
https://github.com/keycloak/keycloak/security/advisories/GHSA-9g98-5mj6-f9mv

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Red Hat Single Sign-On 7.6

Multiple vulnerabilities in Red Hat Single Sign-On 7.6 for RHEL 7

Multiple vulnerabilities in Red Hat Single Sign-On 7.6 for RHEL 8

Multiple vulnerabilities in Red Hat Single Sign-On 7.6 for RHEL 9

Multiple vulnerabilities in Red Hat Single Sign-On 7.6 for OpenShift

User impersonation in Keycloak