5.4
CVE-2023-6544
- EPSS 1.31%
- Veröffentlicht 25.04.2024 16:15:10
- Zuletzt bearbeitet 15.04.2026 00:35:42
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
Keycloak: authorization bypass
Authorization Bypass
A flaw was found in the Keycloak package. This issue occurs due to a permissive regular expression hardcoded for filtering which allows hosts to register a dynamic client. A malicious user with enough information about the environment could jeopardize an environment with this specific Dynamic Client Registration and TrustedDomain configuration previously unauthorized.
Mögliche Gegenmaßnahme
Keycloak Server: Install latest version
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Collection URLhttps://github.com/keycloak/keycloak
≫
Paket
org.keycloak:keycloak-services
Default Statusunaffected
Version
22.0.0
Version <
22.0.10
Status
affected
Version
23.0.0
Version <
24.0.3
Status
affected
HerstellerRed Hat
≫
Produkt
Red Hat build of Keycloak 22
Default Statusaffected
Version
22.0.10-1
Version <
*
Status
unaffected
HerstellerRed Hat
≫
Produkt
Red Hat build of Keycloak 22
Default Statusaffected
Version
22-13
Version <
*
Status
unaffected
HerstellerRed Hat
≫
Produkt
Red Hat build of Keycloak 22
Default Statusaffected
Version
22-16
Version <
*
Status
unaffected
HerstellerRed Hat
≫
Produkt
Red Hat build of Keycloak 22.0.10
Default Statusunaffected
HerstellerRed Hat
≫
Produkt
Red Hat Single Sign-On 7.6 for RHEL 7
Default Statusaffected
Version
0:18.0.13-1.redhat_00001.1.el7sso
Version <
*
Status
unaffected
HerstellerRed Hat
≫
Produkt
Red Hat Single Sign-On 7.6 for RHEL 8
Default Statusaffected
Version
0:18.0.13-1.redhat_00001.1.el8sso
Version <
*
Status
unaffected
HerstellerRed Hat
≫
Produkt
Red Hat Single Sign-On 7.6 for RHEL 9
Default Statusaffected
Version
0:18.0.13-1.redhat_00001.1.el9sso
Version <
*
Status
unaffected
HerstellerRed Hat
≫
Produkt
RHEL-8 based Middleware Containers
Default Statusaffected
Version
7.6-46
Version <
*
Status
unaffected
HerstellerRed Hat
≫
Produkt
RHSSO 7.6.8
Default Statusunaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
LoginWeitere Schwachstelleninformationen
SystemKeycloak
≫
Produkt
Keycloak Server
Version
>= 0.0.0, < 22.0.10
Version
>= 24.0.0, < 24.0.3
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.31% | 0.798 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| secalert@redhat.com | 5.4 | 2.8 | 2.5 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
|
CWE-625 Permissive Regular Expression
The product uses a regular expression that does not sufficiently restrict the set of allowed values.