A flaw was found in Keycloak. This flaw depends on a non-default configuration "Revalidate Client Certificate" to be enabled and the reverse proxy is not validating the certificate before Keycloak. Using this method an attacker may choose the certificate which will be validated by the server. If this happens and the KC_SPI_TRUSTSTORE_FILE_FILE variable is missing/misconfigured, any trustfile may be accepted with the logging information of "Cannot validate client certificate trust: Truststore not available". This may not impact availability as the attacker would have no access to the server, but consumer applications Integrity or Confidentiality may be impacted considering a possible access to them. Considering the environment is correctly set to use "Revalidate Client Certificate" this flaw is avoidable.
References
Link | Resource |
---|---|
https://bugzilla.redhat.com/show_bug.cgi?id=2182196&comment#0 | Issue Tracking Vendor Advisory |
https://bugzilla.redhat.com/show_bug.cgi?id=2182196&comment#0 | Issue Tracking Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 07:39
Type | Values Removed | Values Added |
---|---|---|
References | () https://bugzilla.redhat.com/show_bug.cgi?id=2182196&comment#0 - Issue Tracking, Vendor Advisory |
03 Jun 2023, 03:56
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.5 |
First Time |
Redhat keycloak
Redhat jboss A-mq Redhat migration Toolkit For Runtimes Redhat single Sign-on Redhat Redhat build Of Quarkus |
|
CWE | CWE-295 | |
References | (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=2182196&comment#0 - Issue Tracking, Vendor Advisory | |
CPE | cpe:2.3:a:redhat:jboss_a-mq:7:*:*:*:*:*:*:* cpe:2.3:a:redhat:keycloak:-:*:*:*:*:*:*:* cpe:2.3:a:redhat:migration_toolkit_for_runtimes:-:*:*:*:*:*:*:* cpe:2.3:a:redhat:build_of_quarkus:-:*:*:*:*:*:*:* cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:* |
26 May 2023, 18:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-05-26 18:15
Updated : 2024-11-21 07:39
NVD link : CVE-2023-1664
Mitre link : CVE-2023-1664
CVE.ORG link : CVE-2023-1664
JSON object : View
Products Affected
redhat
- migration_toolkit_for_runtimes
- jboss_a-mq
- build_of_quarkus
- keycloak
- single_sign-on
CWE
CWE-295
Improper Certificate Validation