Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-46c8-635v-68r2: Keycloak Authorization Bypass vulnerability

Due to a permissive regular expression hardcoded for filtering allowed hosts to register a dynamic client, a malicious user with enough information about the environment could benefit and jeopardize an environment with this specific Dynamic Client Registration with TrustedDomain configuration previously unauthorized.

Acknowledgements:

Special thanks to Bastian Kanbach for reporting this issue and helping us improve our security.

ghsa
#vulnerability#git#java#auth#maven
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2023-6544

Keycloak Authorization Bypass vulnerability

Moderate severity GitHub Reviewed Published Apr 17, 2024 in keycloak/keycloak

Package

maven org.keycloak:keycloak-services (Maven)

Affected versions

< 22.0.10

>= 23.0.0, < 24.0.3

Patched versions

22.0.10

24.0.3

Due to a permissive regular expression hardcoded for filtering allowed hosts to register a dynamic client, a malicious user with enough information about the environment could benefit and jeopardize an environment with this specific Dynamic Client Registration with TrustedDomain configuration previously unauthorized.

Acknowledgements:

Special thanks to Bastian Kanbach for reporting this issue and helping us improve our security.

References

  • GHSA-46c8-635v-68r2

Published to the GitHub Advisory Database

Apr 17, 2024

Related news

Red Hat Security Advisory 2024-1868-03

Red Hat Security Advisory 2024-1868-03 - An update is now available for Red Hat build of Keycloak. Issues addressed include bypass, cross site scripting, and denial of service vulnerabilities.