/clients-registrations/openid-connect could consume an invalidated token and register a new client. Reproducer: 1. Generate a token for service-account using the client_credentials flow 2. Revoke the token using the /revoke endpoint passing in the above token. 3. Now, invoke /clients-registrations/openid-connect passing in the above generated token for auth 4. A client is created using the token
CVSS Explanation on privileges required: Privileges Required: (H) instead of (N) The CVSS Metric for Privileges Required is expected to be "High". This is explained in the flaw description as the attacker requires access to the access token that was meant to be revoked. This follows the CVSS Metric Definition: "The attacker requires privileges that provide significant (e.g., administrative) control over the vulnerable component allowing access to component-wide settings and files." Considering the above information, a previous privilege is require prior the attacker jeopardize the environment.
This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 7 Via RHSA-2023:1043 https://access.redhat.com/errata/RHSA-2023:1043
This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 8 Via RHSA-2023:1044 https://access.redhat.com/errata/RHSA-2023:1044
This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 9 Via RHSA-2023:1045 https://access.redhat.com/errata/RHSA-2023:1045
This issue has been addressed in the following products: RHEL-8 based Middleware Containers Via RHSA-2023:1047 https://access.redhat.com/errata/RHSA-2023:1047
This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2023:1049 https://access.redhat.com/errata/RHSA-2023:1049
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-0091