CVE-2023-2422

A flaw was found in Keycloak. A Keycloak server configured to support mTLS authentication for OAuth/OpenID clients does not properly verify the client certificate chain. A client that possesses a proper certificate can authorize itself as any other client, therefore, access data that belongs to other clients.

Weakness

The product does not validate, or incorrectly validates, a certificate.

Affected Software

Name	Vendor	Start Version	End Version
Keycloak	Redhat	- (including)	- (including)
Openshift_container_platform	Redhat	4.9 (including)	4.9 (including)
Openshift_container_platform	Redhat	4.10 (including)	4.10 (including)
Openshift_container_platform	Redhat	4.11 (including)	4.11 (including)
Openshift_container_platform	Redhat	4.12 (including)	4.12 (including)
Single_sign-on	Redhat	7.6 (including)	7.6 (including)

Potential Mitigations

https://cwe.mitre.org/data/definitions/459.html
https://cwe.mitre.org/data/definitions/475.html

References

https://access.redhat.com/errata/RHSA-2023:3883
https://access.redhat.com/errata/RHSA-2023:3884
https://access.redhat.com/errata/RHSA-2023:3885
https://access.redhat.com/errata/RHSA-2023:3888
https://access.redhat.com/errata/RHSA-2023:3892
https://access.redhat.com/security/cve/CVE-2023-2422
https://bugzilla.redhat.com/show_bug.cgi?id=2191668

NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-2422
CWE	https://cwe.mitre.org/data/definitions/295.html

Improper Certificate Validation

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References