CVE-2023-6787

A flaw was found in Keycloak that occurs from an error in the re-authentication mechanism within org.keycloak.authentication. This flaw allows hijacking an active Keycloak session by triggering a new authentication process with the query parameter prompt=login, prompting the user to re-enter their credentials. If the user cancels this re-authentication by selecting Restart login, an account takeover may occur, as the new session, with a different SUB, will possess the same SID as the previous session.

Weakness

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Software

Potential Mitigations

Related Attack Patterns

• https://cwe.mitre.org/data/definitions/114.html
• https://cwe.mitre.org/data/definitions/115.html
• https://cwe.mitre.org/data/definitions/151.html
• https://cwe.mitre.org/data/definitions/194.html
• https://cwe.mitre.org/data/definitions/22.html
• https://cwe.mitre.org/data/definitions/57.html
• https://cwe.mitre.org/data/definitions/593.html
• https://cwe.mitre.org/data/definitions/633.html
• https://cwe.mitre.org/data/definitions/650.html
• https://cwe.mitre.org/data/definitions/94.html

References

• https://access.redhat.com/errata/RHSA-2024:1867
• https://access.redhat.com/errata/RHSA-2024:1868
• https://access.redhat.com/security/cve/CVE-2023-6787
• https://bugzilla.redhat.com/show_bug.cgi?id=2254375
• https://github.com/keycloak/keycloak/security/advisories/GHSA-c9h6-v78w-52wj
• https://access.redhat.com/errata/RHSA-2024:1867
• https://access.redhat.com/errata/RHSA-2024:1868
• https://access.redhat.com/security/cve/CVE-2023-6787
• https://bugzilla.redhat.com/show_bug.cgi?id=2254375