2158910 – (CVE-2023-0105) CVE-2023-0105 keycloak: impersonation and lockout possible through incorrect handling of email trust

Bug 2158910 (CVE-2023-0105) - CVE-2023-0105 keycloak: impersonation and lockout possible through incorrect handling of email trust

Summary: CVE-2023-0105 keycloak: impersonation and lockout possible through incorrect ...

Keywords:
Status:	NEW
Alias:	CVE-2023-0105
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2152160
TreeView+	depends on / blocked

Reported:	2023-01-06 21:30 UTC by mulliken
Modified:	2024-04-17 10:49 UTC (History)
CC List:	8 users (show)
Fixed In Version:	keycloak 22.0.1
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:7482	None	None	None	2023-11-24 16:52:59 UTC
Red Hat Product Errata	RHSA-2023:7483	None	None	None	2023-11-24 16:53:07 UTC
Red Hat Product Errata	RHSA-2023:7484	None	None	None	2023-11-24 16:52:49 UTC
Red Hat Product Errata	RHSA-2023:7486	None	None	None	2023-11-24 16:53:31 UTC
Red Hat Product Errata	RHSA-2023:7488	None	None	None	2023-11-24 16:57:54 UTC

Description mulliken 2023-01-06 21:30:35 UTC

Impersonation and lockout are possible due to email trust not being handled correctly in Keycloak. Since the verified state is not reset when the email changes, it is possible for users to shadow others with the same email and lock out or impersonate them.

Step-by-Step Reproducer:
1. Set up a Keycloak instance with a 'customer' realm
2. Create a ‘shared’ realm where the 'customer' realm is linked as an identity provider.
3. Disable the ‘Trust email’ configuration option in the ‘shared’ realm.
4. Create a new user in the 'customer' realm and log in to the ‘shared’ realm.
5. Verify that the user is prompted to verify their email address.
6. Update the email address of the user in the customer realm and log in to the ‘shared’ realm.
7. Verify that the email address attribute is updated but remains verified.

Comment 5 errata-xmlrpc 2023-11-24 16:52:44 UTC

This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 9

Via RHSA-2023:7484 https://access.redhat.com/errata/RHSA-2023:7484

Comment 6 errata-xmlrpc 2023-11-24 16:52:57 UTC

This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 7

Via RHSA-2023:7482 https://access.redhat.com/errata/RHSA-2023:7482

Comment 7 errata-xmlrpc 2023-11-24 16:53:06 UTC

This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 8

Via RHSA-2023:7483 https://access.redhat.com/errata/RHSA-2023:7483

Comment 8 errata-xmlrpc 2023-11-24 16:53:30 UTC

This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2023:7486 https://access.redhat.com/errata/RHSA-2023:7486

Comment 9 errata-xmlrpc 2023-11-24 16:57:53 UTC

This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2023:7488 https://access.redhat.com/errata/RHSA-2023:7488

Note You need to log in before you can comment on or make changes to this bug.