A flaw was found in the Keycloak package. This issue occurs due to a permissive regular expression hardcoded for filtering which allows hosts to register a dynamic client. A malicious user with enough information about the environment could jeopardize an environment with this specific Dynamic Client Registration and TrustedDomain configuration previously unauthorized.
The product uses a regular expression that does not sufficiently restrict the set of allowed values.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Red Hat build of Keycloak 22 | RedHat | rhbk/keycloak-operator-bundle:22.0.10-1 | * |
| Red Hat build of Keycloak 22 | RedHat | rhbk/keycloak-rhel9:22-13 | * |
| Red Hat build of Keycloak 22 | RedHat | rhbk/keycloak-rhel9-operator:22-16 | * |
| Red Hat build of Keycloak 22.0.10 | RedHat | keycloak-core | * |
| Red Hat Single Sign-On 7.6 for RHEL 7 | RedHat | rh-sso7-keycloak-0:18.0.13-1.redhat_00001.1.el7sso | * |
| Red Hat Single Sign-On 7.6 for RHEL 8 | RedHat | rh-sso7-keycloak-0:18.0.13-1.redhat_00001.1.el8sso | * |
| Red Hat Single Sign-On 7.6 for RHEL 9 | RedHat | rh-sso7-keycloak-0:18.0.13-1.redhat_00001.1.el9sso | * |
| RHEL-8 based Middleware Containers | RedHat | rh-sso-7/sso76-openshift-rhel8:7.6-46 | * |
| RHSSO 7.6.8 | RedHat | keycloak-core | * |
This effectively causes the regexp to accept substrings that match the pattern, which produces a partial comparison to the target. In some cases, this can lead to other weaknesses. Common errors include: