CVE-2023-4918

A flaw was found in the Keycloak package, more specifically org.keycloak.userprofile. When a user registers itself through registration flow, the "password" and "password-confirm" field from the form will occur as regular user attributes. All users and clients with proper rights and roles are able to read users attributes, allowing a malicious user with minimal access to retrieve the users passwords in clear text, jeopardizing their environment.
Configurations

Configuration 1 (hide)

cpe:2.3:a:redhat:keycloak:22.0.2:*:*:*:*:*:*:*

History

15 Sep 2023, 19:13

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 8.8
CWE CWE-319
References (MISC) https://access.redhat.com/security/cve/CVE-2023-4918 - (MISC) https://access.redhat.com/security/cve/CVE-2023-4918 - Vendor Advisory
References (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=2238588 - (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=2238588 - Issue Tracking, Vendor Advisory
References (MISC) https://github.com/keycloak/keycloak/security/advisories/GHSA-5q66-v53q-pm35 - (MISC) https://github.com/keycloak/keycloak/security/advisories/GHSA-5q66-v53q-pm35 - Vendor Advisory
First Time Redhat keycloak
Redhat
CPE cpe:2.3:a:redhat:keycloak:22.0.2:*:*:*:*:*:*:*

12 Sep 2023, 20:41

Type Values Removed Values Added
New CVE

Information

Published : 2023-09-12 20:15

Updated : 2024-02-28 20:33


NVD link : CVE-2023-4918

Mitre link : CVE-2023-4918

CVE.ORG link : CVE-2023-4918


JSON object : View

Products Affected

redhat

  • keycloak
CWE
CWE-319

Cleartext Transmission of Sensitive Information

CWE-256

Plaintext Storage of a Password