Back to bug 2182196
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Paige Jung | 2023-03-27 21:10:50 UTC | Doc Text | A flaw was found in Keycloak, this flaw allows, when using "Revalidate Client Certificate" to allow unintended access of untrusted certificate when KC_SPI_TRUSTSTORE_FILE_FILE is misconfigured. | A flaw was found in Keycloak. This issue may allow unintended access of an untrusted certificate when using "Revalidate Client Certificate" and when KC_SPI_TRUSTSTORE_FILE_FILE is misconfigured. |
| Patrick Del Bello | 2023-05-23 13:01:46 UTC | Doc Text | A flaw was found in Keycloak. This issue may allow unintended access of an untrusted certificate when using "Revalidate Client Certificate" and when KC_SPI_TRUSTSTORE_FILE_FILE is misconfigured. | A flaw was found in Keycloak. This flaw depends on a non-default configuration "Revalidate Client Certificate" to be enabled and the reverse proxy is not validating the certificate before Keycloak. Using this method an attacker may choose the certificate which will be validated by the server. If this happens and the KC_SPI_TRUSTSTORE_FILE_FILE variable is missing/misconfigured, any trustfile may be accepted with the logging information of "Cannot validate client certificate trust: Truststore not available". This may not impact availability, but consumer applications Integrity or Confidentiality. Considering the environment is correctly set, this flaw is avoidable by configuring the server. |
| Patrick Del Bello | 2023-05-23 15:19:49 UTC | CC | anstephe, ataylor, avibelli, bbuckingham, bcourt, bgeorges, clement.escoffier, dandread, dkreling, ehelms, fjansen, gsmet, hamadhan, jmartisk, jross, jsherril, lthon, lzap, max.andersen, mhulan, myarboro, nmoumoul, orabin, pcreech, peholase, pgallagh, probinso, rchan, rkieley, rruss, rsvoboda, sbiarozk, sdouglas | |
| Patrick Del Bello | 2023-05-23 15:25:59 UTC | CC | aileenc, eric.wittmann, gmalinko, janstey, jpavlik, pantinor, pdelbell | |
| errata-xmlrpc | 2023-06-27 18:49:32 UTC | Link ID | Red Hat Product Errata RHSA-2023:3885 | |
| errata-xmlrpc | 2023-06-27 18:49:39 UTC | Link ID | Red Hat Product Errata RHSA-2023:3884 | |
| errata-xmlrpc | 2023-06-27 18:49:48 UTC | Link ID | Red Hat Product Errata RHSA-2023:3883 | |
| errata-xmlrpc | 2023-06-27 18:49:55 UTC | Link ID | Red Hat Product Errata RHSA-2023:3888 | |
| errata-xmlrpc | 2023-06-27 18:53:54 UTC | Link ID | Red Hat Product Errata RHSA-2023:3892 | |
| Product Security DevOps Team | 2023-06-27 23:30:55 UTC | Status | NEW | CLOSED |
| Resolution | --- | ERRATA | ||
| Last Closed | 2023-06-27 23:30:55 UTC |
Back to bug 2182196