Bug 2221760 (CVE-2023-3597) - CVE-2023-3597 keycloak: secondary factor bypass in step-up authentication
Summary: CVE-2023-3597 keycloak: secondary factor bypass in step-up authentication
Keywords:
Status: NEW
Alias: CVE-2023-3597
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2221758
TreeView+ depends on / blocked
 
Reported: 2023-07-10 17:10 UTC by Chess Hazlett
Modified: 2024-04-24 12:33 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Keycloak, where it does not correctly validate its client step-up authentication in org.keycloak.authentication. This flaw allows a remote user authenticated with a password to register a false second authentication factor along with an existing one and bypass authentication.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:1867 0 None None None 2024-04-16 20:27:06 UTC
Red Hat Product Errata RHSA-2024:1868 0 None None None 2024-04-16 20:26:27 UTC

Description Chess Hazlett 2023-07-10 17:10:21 UTC 
Keycloak does not correctly validate its client step-up authentication. A password-authed attacker could use this flaw to register a false second auth factor, alongside the existing one, to a targeted account. The second factor then permits step-up authentication.
Comment 5 errata-xmlrpc 2024-04-16 20:26:26 UTC 
This issue has been addressed in the following products:

  Red Hat build of Keycloak 22.0.10

Via RHSA-2024:1868 https://access.redhat.com/errata/RHSA-2024:1868
Comment 6 errata-xmlrpc 2024-04-16 20:27:04 UTC 
This issue has been addressed in the following products:

  Red Hat build of Keycloak 22

Via RHSA-2024:1867 https://access.redhat.com/errata/RHSA-2024:1867
Note You need to log in before you can comment on or make changes to this bug.