Bug 2158910 (CVE-2023-0105) - CVE-2023-0105 keycloak: impersonation and lockout possible through incorrect handling of email trust
Summary: CVE-2023-0105 keycloak: impersonation and lockout possible through incorrect ...
Keywords:
Status: NEW
Alias: CVE-2023-0105
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2152160
TreeView+ depends on / blocked
 
Reported: 2023-01-06 21:30 UTC by Joshua Mulliken
Modified: 2023-01-11 16:06 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Keycloak. This flaw allows impersonation and lockout due to the email trust not being handled correctly in Keycloak. An attacker can shadow other users with the same email and lockout or impersonate them.
Clone Of:
Environment:
Last Closed:

Attachments (Terms of Use)

Description Joshua Mulliken 2023-01-06 21:30:35 UTC 
Impersonation and lockout are possible due to email trust not being handled correctly in Keycloak. Since the verified state is not reset when the email changes, it is possible for users to shadow others with the same email and lock out or impersonate them.

Step-by-Step Reproducer:
1. Set up a Keycloak instance with a 'customer' realm
2. Create a ‘shared’ realm where the 'customer' realm is linked as an identity provider.
3. Disable the ‘Trust email’ configuration option in the ‘shared’ realm.
4. Create a new user in the 'customer' realm and log in to the ‘shared’ realm.
5. Verify that the user is prompted to verify their email address.
6. Update the email address of the user in the customer realm and log in to the ‘shared’ realm.
7. Verify that the email address attribute is updated but remains verified.
Note You need to log in before you can comment on or make changes to this bug.