CVE Vulnerabilities

CVE-2023-2422

Improper Certificate Validation

Published: Oct 04, 2023 | Modified: Nov 07, 2023
CVSS 3.x
7.1
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
CVSS 2.x
RedHat/V2
RedHat/V3
5.5 MODERATE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N
Ubuntu

A flaw was found in Keycloak. A Keycloak server configured to support mTLS authentication for OAuth/OpenID clients does not properly verify the client certificate chain. A client that possesses a proper certificate can authorize itself as any other client, therefore, access data that belongs to other clients.

Weakness

The product does not validate, or incorrectly validates, a certificate.

Affected Software

Name Vendor Start Version End Version
Keycloak Redhat - (including) - (including)
Openshift_container_platform Redhat 4.9 (including) 4.9 (including)
Openshift_container_platform Redhat 4.10 (including) 4.10 (including)
Openshift_container_platform Redhat 4.11 (including) 4.11 (including)
Openshift_container_platform Redhat 4.12 (including) 4.12 (including)
Single_sign-on Redhat 7.6 (including) 7.6 (including)
Red Hat Single Sign-On 7 RedHat keycloak-oauth *
Red Hat Single Sign-On 7.6 for RHEL 7 RedHat rh-sso7-keycloak-0:18.0.8-1.redhat_00001.1.el7sso *
Red Hat Single Sign-On 7.6 for RHEL 8 RedHat rh-sso7-keycloak-0:18.0.8-1.redhat_00001.1.el8sso *
Red Hat Single Sign-On 7.6 for RHEL 9 RedHat rh-sso7-keycloak-0:18.0.8-1.redhat_00001.1.el9sso *
RHEL-8 based Middleware Containers RedHat rh-sso-7/sso76-openshift-rhel8:7.6-24 *

Potential Mitigations

References