A flaw was found in keycloack before version 8.0.0. The owner of 'placeholder.org' domain can setup mail server on this domain and knowing only name of a client can reset password and then log in. For example, for client name 'test' the email address will be 'service-account-test' Upstream issue: https://issues.jboss.org/browse/KEYCLOAK-10780 Upstream patch: https://github.com/keycloak/keycloak/commit/9a7c1a91a59ab85e7f8889a505be04a71580777f
The version of Keycloak used in Red Hat Mobile Application Platform did not have the Service Account feature. It was added in version 1.4, see: https://planet.jboss.org/post/service_accounts_support_in_keycloak
please refer to these screen shot attach to replicate this.
Created attachment 1614803 [details] Series of screenshots
Steps to reproduce : - Create an application and deploy it on JBoss EAP with authentication mechanism as BASIC and secure it with RHSSO. - Register this application this as a RHSSO client (confidential client) with service account enabled (shown in the screen shot attached). - Setup email server and email verification in RHSSO Realm. (shown in the screen shot attached). - I have also attached screen shot of my local JDBC client showing the USER_ENTITY table from H2 database. Observe the default email ID created of service accounts.(shown in the screen shot attached) - Just to be sure that RHSSO indeed send password reset emails, change the default email ID with the one you have access to. - Now access your application URL and click on "forget password". - Enter the user name as "service-account-<client-id>" and click submit. (shown in the screen shot attached) - You will get the password reset email on your email ID.(shown in the screen shot attached) - Now reset the password and login again with the new password.
Acknowledgments: Name: Vadim Ashikhman
Mitigation: It is not a very straight forward workaround but it is possible to mitigate this by manually editing the default Email ID (service_account_name) to some valid email ID (abc) in the USER_ENTITY table in the RHSSO database used.
This issue has been addressed in the following products: Red Hat Single Sign-On 7.3 for RHEL 7 Via RHSA-2019:4041 https://access.redhat.com/errata/RHSA-2019:4041
This issue has been addressed in the following products: Red Hat Single Sign-On 7.3 for RHEL 6 Via RHSA-2019:4040 https://access.redhat.com/errata/RHSA-2019:4040
This issue has been addressed in the following products: Red Hat Single Sign-On 7.3 for RHEL 8 Via RHSA-2019:4042 https://access.redhat.com/errata/RHSA-2019:4042
This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2019:4045 https://access.redhat.com/errata/RHSA-2019:4045
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-14837