A flaw was found in keycloak-core. This flaw considers the scenario when using X509 Client Certificate Authenticatior with the option "Revalidate Client Certificate". A user may be able to choose, if directly connect to keycloak (not passing via reverse proxy) a specific certificate. If there's a configuration error in KC_SPI_TRUSTSTORE_FILE_FILE the authenticator allows even with the "Cannot validate client certificate trust: Truststore not available" message as there's no certificate to trust against.
This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 9 Via RHSA-2023:3885 https://access.redhat.com/errata/RHSA-2023:3885
This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 8 Via RHSA-2023:3884 https://access.redhat.com/errata/RHSA-2023:3884
This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 7 Via RHSA-2023:3883 https://access.redhat.com/errata/RHSA-2023:3883
This issue has been addressed in the following products: RHEL-8 based Middleware Containers Via RHSA-2023:3888 https://access.redhat.com/errata/RHSA-2023:3888
This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2023:3892 https://access.redhat.com/errata/RHSA-2023:3892
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-1664
This issue has been addressed in the following products: AMQ Broker 7.11.2 Via RHSA-2023:5491 https://access.redhat.com/errata/RHSA-2023:5491