Back to bug 2160585
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Chess Hazlett | 2023-01-12 23:10:58 UTC | CC | security-response-team | |
| errata-xmlrpc | 2023-03-01 21:44:16 UTC | Group | qe_staff, security | |
| Summary | EMBARGOED CVE-2023-0264 keycloak: user impersonation via stolen uuid code | CVE-2023-0264 keycloak: user impersonation via stolen uuid code | ||
| Link ID | Red Hat Product Errata RHSA-2023:1043 | |||
| errata-xmlrpc | 2023-03-01 21:46:46 UTC | Link ID | Red Hat Product Errata RHSA-2023:1044 | |
| errata-xmlrpc | 2023-03-01 21:49:12 UTC | Link ID | Red Hat Product Errata RHSA-2023:1045 | |
| errata-xmlrpc | 2023-03-01 21:50:09 UTC | Link ID | Red Hat Product Errata RHSA-2023:1047 | |
| errata-xmlrpc | 2023-03-01 22:00:16 UTC | Link ID | Red Hat Product Errata RHSA-2023:1049 | |
| Product Security DevOps Team | 2023-03-02 01:51:57 UTC | Resolution | --- | ERRATA |
| Status | NEW | CLOSED | ||
| Last Closed | 2023-03-02 01:51:57 UTC | |||
| Chess Hazlett | 2023-03-15 19:38:39 UTC | Doc Text | Keycloak's OpenID Connect user authentication was found to incorrectly authenticate requests. An authenticated attacker who could also obtain a certain piece of info from a user request, from a victim within the same realm, could use that data to impersonate the victim and generate new session tokens. This flaw could potentially impact Confidentiality, Integrity, and Availability. | |
| Paige Jung | 2023-03-15 20:13:12 UTC | Doc Text | Keycloak's OpenID Connect user authentication was found to incorrectly authenticate requests. An authenticated attacker who could also obtain a certain piece of info from a user request, from a victim within the same realm, could use that data to impersonate the victim and generate new session tokens. This flaw could potentially impact Confidentiality, Integrity, and Availability. | A flaw was found in Keycloak's OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session tokens. This issue could impact confidentiality, Integrity, and availability. |
| Chess Hazlett | 2023-03-23 21:28:47 UTC | CC | asoldano, bbaranow, bmaxwell, brian.stansberry, cdewolf, darran.lofthouse, dkreling, dosoudil, fjuma, gzaronik, ivassile, iweiss, lgao, mokumar, mosmerov, msochure, msvehla, nwallace, pmackay, rstancel, smaestri, tom.jenkinson | |
| Chess Hazlett | 2023-08-04 15:41:53 UTC | Fixed In Version | keycloak 18.0.6 | |
| Chess Hazlett | 2023-08-04 16:41:17 UTC | Severity | high | medium |
| Priority | high | medium |
Back to bug 2160585