Main Vulnerability Database Vulnerabilities #VU77752

#VU77752 Improper Certificate Validation in Keycloak - CVE-2023-1664

Published: June 28, 2023 / Updated: June 28, 2023

Vulnerability identifier: #VU77752

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2023-1664

CWE-ID: CWE-295

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Keycloak

Software vendor:
Keycloak

Description

The vulnerability allows a remote attacker to bypass client certificate validation.

The vulnerability exists due to improper certificate validation when using X509 Client Certificate Authenticatior with the option "Revalidate Client Certificate". A remote attacker with ability to directly connect to Keycloak (e.g. not via the reverse proxy) can bypass certificate validation and gain unauthorized access to the application.

Successful exploitation of the vulnerability requires that there's a configuration error in KC_SPI_TRUSTSTORE_FILE_FILE, which results in accepting any certificate with the logging information of "Cannot validate client certificate trust: Truststore not available".

Remediation

Install update from vendor's website.

#VU77752 Improper Certificate Validation in Keycloak - CVE-2023-1664

Description

Remediation

External links

Please verify you're human