VDB

CISA-2023-2422

CISA-2023-2422 PUBLISHED CVSS 5.5 MEDIUM

Reported by redhat · Published October 4, 2023

A flaw was found in Keycloak. A Keycloak server configured to support mTLS authentication for OAuth/OpenID clients does not properly verify the client certificate chain. A client that possesses a proper certificate can authorize itself as any other client, therefore, access data that belongs to other clients.

Risk Scores

CVSS 3.1
5.5
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N

Affected Products

VendorProductVersions
Red HatRed Hat Single Sign-On 7
Red HatRed Hat Single Sign-On 7.6 for RHEL 70:18.0.8-1.redhat_00001.1.el7sso
Red HatRed Hat Single Sign-On 7.6 for RHEL 80:18.0.8-1.redhat_00001.1.el8sso
Red HatRed Hat Single Sign-On 7.6 for RHEL 90:18.0.8-1.redhat_00001.1.el9sso
Red HatRHEL-8 based Middleware Containers7.6-24
Red HatRed Hat Single Sign-On 7.6 for RHEL 70:18.0.8-1.redhat_00001.1.el7sso, *
Red HatRed Hat Single Sign-On 7
Red HatRed Hat Single Sign-On 7.6 for RHEL 80:18.0.8-1.redhat_00001.1.el8sso, *
Red HatRHEL-8 based Middleware Containers7.6-24, 7.6-24
Red HatRed Hat Single Sign-On 7.6 for RHEL 90:18.0.8-1.redhat_00001.1.el9sso, 0:18.0.8-1.redhat_00001.1.el9sso

Timeline

  • Oct 4, 2023 CVE Published
  • Aug 2, 2024 CVE Updated
  • Apr 26, 2026 Distribution Patch
  • Apr 26, 2026 Distribution Patch
  • Apr 26, 2026 Distribution Patch
  • Apr 26, 2026 Distribution Patch
  • Apr 26, 2026 Distribution Patch
  • Apr 26, 2026 Security Advisory
  • Apr 26, 2026 Security Advisory
  • Apr 26, 2026 Security Advisory
  • Apr 26, 2026 Security Advisory
  • Apr 26, 2026 Security Advisory

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›