A flaw was found in Keycloak. A Keycloak server configured to support mTLS authentication for OAuth/OpenID clients does not properly verify the client certificate chain. A client that possesses a proper certificate can authorize itself as any other client, therefore, access data that belongs to other clients.
The product does not validate, or incorrectly validates, a certificate.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Keycloak | Redhat | - (including) | - (including) |
| Openshift_container_platform | Redhat | 4.9 (including) | 4.9 (including) |
| Openshift_container_platform | Redhat | 4.10 (including) | 4.10 (including) |
| Openshift_container_platform | Redhat | 4.11 (including) | 4.11 (including) |
| Openshift_container_platform | Redhat | 4.12 (including) | 4.12 (including) |
| Single_sign-on | Redhat | 7.6 (including) | 7.6 (including) |
| Red Hat Single Sign-On 7 | RedHat | keycloak-oauth | * |
| Red Hat Single Sign-On 7.6 for RHEL 7 | RedHat | rh-sso7-keycloak-0:18.0.8-1.redhat_00001.1.el7sso | * |
| Red Hat Single Sign-On 7.6 for RHEL 8 | RedHat | rh-sso7-keycloak-0:18.0.8-1.redhat_00001.1.el8sso | * |
| Red Hat Single Sign-On 7.6 for RHEL 9 | RedHat | rh-sso7-keycloak-0:18.0.8-1.redhat_00001.1.el9sso | * |
| RHEL-8 based Middleware Containers | RedHat | rh-sso-7/sso76-openshift-rhel8:7.6-24 | * |