A flaw was found in the reset credential flow in all Keycloak versions before 8.0.0. This flaw allows an attacker to gain unauthorized access to the application.
Weakness
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Jboss_fuse | Redhat | 7.0.0 (including) | 7.0.0 (including) |
| Keycloak | Redhat | * | 8.0.0 (excluding) |
| Openshift_application_runtimes | Redhat | - (including) | - (including) |
| Red Hat Decision Manager 7 | RedHat | keycloak | * |
| Red Hat Process Automation 7 | RedHat | keycloak | * |
| Red Hat Runtimes Spring Boot 2.2.6 | RedHat | keycloak | * |
| Red Hat Single Sign On 7.3.8 | RedHat | * | |
| Red Hat Single Sign-On 7.3 for RHEL 6 | RedHat | rh-sso7-keycloak-0:4.8.20-1.Final_redhat_00001.1.el6sso | * |
| Red Hat Single Sign-On 7.3 for RHEL 7 | RedHat | rh-sso7-keycloak-0:4.8.20-1.Final_redhat_00001.1.el7sso | * |
| Red Hat Single Sign-On 7.3 for RHEL 8 | RedHat | rh-sso7-keycloak-0:4.8.20-1.Final_redhat_00001.1.el8sso | * |
| Text-Only RHOAR | RedHat | * |
Potential Mitigations
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/114.html
- https://cwe.mitre.org/data/definitions/115.html
- https://cwe.mitre.org/data/definitions/151.html
- https://cwe.mitre.org/data/definitions/194.html
- https://cwe.mitre.org/data/definitions/22.html
- https://cwe.mitre.org/data/definitions/57.html
- https://cwe.mitre.org/data/definitions/593.html
- https://cwe.mitre.org/data/definitions/633.html
- https://cwe.mitre.org/data/definitions/650.html
- https://cwe.mitre.org/data/definitions/94.html