Bug 2158910 (CVE-2023-0105)

Summary: CVE-2023-0105 keycloak: impersonation and lockout possible through incorrect handling of email trust
Product: [Other] Security Response Reporter: mulliken
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: boliveir, bugzilla, chazlett, pdelbell, pdrozd, pjindal, pskopek, sthorger
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: keycloak 22.0.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Keycloak. This flaw allows impersonation and lockout due to the email trust not being handled correctly in Keycloak. An attacker can shadow other users with the same email and lockout or impersonate them.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2152160    

Description mulliken 2023-01-06 21:30:35 UTC 
Impersonation and lockout are possible due to email trust not being handled correctly in Keycloak. Since the verified state is not reset when the email changes, it is possible for users to shadow others with the same email and lock out or impersonate them.

Step-by-Step Reproducer:
1. Set up a Keycloak instance with a 'customer' realm
2. Create a ‘shared’ realm where the 'customer' realm is linked as an identity provider.
3. Disable the ‘Trust email’ configuration option in the ‘shared’ realm.
4. Create a new user in the 'customer' realm and log in to the ‘shared’ realm.
5. Verify that the user is prompted to verify their email address.
6. Update the email address of the user in the customer realm and log in to the ‘shared’ realm.
7. Verify that the email address attribute is updated but remains verified.
Comment 5 errata-xmlrpc 2023-11-24 16:52:44 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 9

Via RHSA-2023:7484 https://access.redhat.com/errata/RHSA-2023:7484
Comment 6 errata-xmlrpc 2023-11-24 16:52:57 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 7

Via RHSA-2023:7482 https://access.redhat.com/errata/RHSA-2023:7482
Comment 7 errata-xmlrpc 2023-11-24 16:53:06 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 8

Via RHSA-2023:7483 https://access.redhat.com/errata/RHSA-2023:7483
Comment 8 errata-xmlrpc 2023-11-24 16:53:30 UTC 
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2023:7486 https://access.redhat.com/errata/RHSA-2023:7486
Comment 9 errata-xmlrpc 2023-11-24 16:57:53 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2023:7488 https://access.redhat.com/errata/RHSA-2023:7488