A flaw was found in keycloak as shipped in Red Hat Single Sign-On 7.4 where IDN homograph attacks are possible. A malicious user can register himself with a name already registered and trick admin to grant him extra privileges.
Weakness
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Single_sign-on | Redhat | 7.4 (including) | 7.4 (including) |
| Red Hat Single Sign-On 7.4.7 | RedHat | * | |
| Red Hat Single Sign-On 7.4 for RHEL 6 | RedHat | rh-sso7-keycloak-0:9.0.13-1.redhat_00006.1.el6sso | * |
| Red Hat Single Sign-On 7.4 for RHEL 7 | RedHat | rh-sso7-keycloak-0:9.0.13-1.redhat_00006.1.el7sso | * |
| Red Hat Single Sign-On 7.4 for RHEL 8 | RedHat | rh-sso7-keycloak-0:9.0.13-1.redhat_00006.1.el8sso | * |
Potential Mitigations
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/114.html
- https://cwe.mitre.org/data/definitions/115.html
- https://cwe.mitre.org/data/definitions/151.html
- https://cwe.mitre.org/data/definitions/194.html
- https://cwe.mitre.org/data/definitions/22.html
- https://cwe.mitre.org/data/definitions/57.html
- https://cwe.mitre.org/data/definitions/593.html
- https://cwe.mitre.org/data/definitions/633.html
- https://cwe.mitre.org/data/definitions/650.html
- https://cwe.mitre.org/data/definitions/94.html