A flaw was found in Keycloak that occurs from an error in the re-authentication mechanism within org.keycloak.authentication. This flaw allows hijacking an active Keycloak session by triggering a new authentication process with the query parameter prompt=login, prompting the user to re-enter their credentials. If the user cancels this re-authentication by selecting Restart login, an account takeover may occur, as the new session, with a different SUB, will possess the same SID as the previous session.
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Build_of_keycloak | Redhat | - (including) | - (including) |
| Keycloak | Redhat | * | 22.0.10 (excluding) |
| Keycloak | Redhat | 23.0.0 (including) | 24.0.3 (excluding) |
| Red Hat build of Keycloak 22 | RedHat | rhbk/keycloak-operator-bundle:22.0.10-1 | * |
| Red Hat build of Keycloak 22 | RedHat | rhbk/keycloak-rhel9:22-13 | * |
| Red Hat build of Keycloak 22 | RedHat | rhbk/keycloak-rhel9-operator:22-16 | * |
| Red Hat build of Keycloak 22.0.10 | RedHat | keycloak-core | * |