5
CVE-2023-0264
- EPSS 3.94%
- Veröffentlicht 04.08.2023 18:15:11
- Zuletzt bearbeitet 21.11.2024 07:36:51
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
LoginUser impersonation via stolen UUID code
A flaw was found in Keycloaks OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session tokens. This issue could impact confidentiality, integrity, and availability.
Mögliche Gegenmaßnahme
Keycloak Server: Install latest version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Redhat ≫ Single Sign-on Version < 7.6.2
Redhat ≫ Enterprise Linux Version7.0
Redhat ≫ Enterprise Linux Version8.0
Redhat ≫ Enterprise Linux Version9.0
Redhat ≫ Enterprise Linux Version8.0
Redhat ≫ Enterprise Linux Version9.0
Redhat ≫ Openshift Container Platform Version4.9
Redhat ≫ Openshift Container Platform Version4.10
Redhat ≫ Openshift Container Platform For Ibm Linuxone Version4.9
Redhat ≫ Openshift Container Platform For Ibm Linuxone Version4.10
Redhat ≫ Openshift Container Platform Ibm Z Systems Version4.9
Redhat ≫ Openshift Container Platform Ibm Z Systems Version4.10
Redhat ≫ Single Sign-on Version < 7.6.2
Redhat ≫ Single Sign-on Version- SwEditiontext-only
Weitere Schwachstelleninformationen
SystemKeycloak
≫
Produkt
Keycloak Server
Version
< 21.0.1
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 3.94% | 0.884 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5 | 1.6 | 3.4 |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
|
CWE-287 Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.