Bug 2238588 (CVE-2023-4918) - CVE-2023-4918 keycloak: Plaintext Storage of User Password
Summary: CVE-2023-4918 keycloak: Plaintext Storage of User Password
Keywords:
Status: NEW
Alias: CVE-2023-4918
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2238582
TreeView+ depends on / blocked
 
Reported: 2023-09-12 15:19 UTC by Patrick Del Bello
Modified: 2023-09-12 19:21 UTC (History)
9 users (show)

Fixed In Version: keycloak 22.0.3
Doc Type: ---
Doc Text:
A flaw was found in the Keycloak package, more specifically org.keycloak.userprofile. When a user registers itself through registration flow, the "password" and "password-confirm" field from the form will occur as regular user attributes. All users and clients with proper rights and roles are able to read users attributes, allowing a malicious user with minimal access to retrieve the users passwords in clear text, jeopardizing their environment.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Patrick Del Bello 2023-09-12 15:19:30 UTC 
A flaw was discovered in Keycloak Core package.  When a user registers itself through registration flow, the "password" and "password-confirm" field from the form will occur as regular attributes in the users attributes. The password is also created, but the user attributes must not be there. This way, any entities (all users and clients with proper rights/roles) are able to retrieve the users passwords in clear-text. 

A malicious user with minimal access reading other users attributes could have access to their password and hence jeopardize the environment. 

This shall only affect Keycloak 22.0.2. While Keycloak 22.0.1 is not affected.
Comment 1 Patrick Del Bello 2023-09-12 15:22:39 UTC 
https://github.com/keycloak/keycloak/security/advisories/GHSA-5q66-v53q-pm35
Note You need to log in before you can comment on or make changes to this bug.