A Keycloak server configured to support mTLS authentication for OAuth/OpenID clients does not properly verify the client certificate chain. A client that possesses a proper certificate can authorize itself as any other client and therefore access data that belongs to other clients.
This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 9 Via RHSA-2023:3885 https://access.redhat.com/errata/RHSA-2023:3885
This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 8 Via RHSA-2023:3884 https://access.redhat.com/errata/RHSA-2023:3884
This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 7 Via RHSA-2023:3883 https://access.redhat.com/errata/RHSA-2023:3883
This issue has been addressed in the following products: RHEL-8 based Middleware Containers Via RHSA-2023:3888 https://access.redhat.com/errata/RHSA-2023:3888
This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2023:3892 https://access.redhat.com/errata/RHSA-2023:3892
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-2422