Main Vulnerability Database Vulnerabilities #VU88792

#VU88792 Improper Authentication in Keycloak - CVE-2023-3597

Published: April 17, 2024

Vulnerability identifier: #VU88792

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2023-3597

CWE-ID: CWE-287

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Keycloak

Software vendor:
Keycloak

Description

The vulnerability allows a remote user to bypass 2FA authentication process.

The vulnerability exists due to Keycloak does not correctly validate its client step-up authentication in org.keycloak.authentication. A remote user authenticated with password can use this flaw to register a false second authentication factor along with existing one and bypass authentication.

Remediation

Install updates from vendor's website.

External links

https://github.com/keycloak/keycloak/security/advisories/GHSA-4f53-xh3v-g8x4
https://access.redhat.com/errata/RHSA-2024:1867
https://access.redhat.com/errata/RHSA-2024:1868

#VU88792 Improper Authentication in Keycloak - CVE-2023-3597

Description

Remediation

External links

Please verify you're human