A flaw was found in Keycloak. A Keycloak server configured to support mTLS authentication for OAuth/OpenID clients does not properly verify the client certificate chain. A client that possesses a proper certificate can authorize itself as any other client, therefore, access data that belongs to other clients.
The product does not validate, or incorrectly validates, a certificate.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Keycloak | Redhat | - (including) | - (including) |
Openshift_container_platform | Redhat | 4.9 (including) | 4.9 (including) |
Openshift_container_platform | Redhat | 4.10 (including) | 4.10 (including) |
Openshift_container_platform | Redhat | 4.11 (including) | 4.11 (including) |
Openshift_container_platform | Redhat | 4.12 (including) | 4.12 (including) |
Single_sign-on | Redhat | 7.6 (including) | 7.6 (including) |