Headline
GHSA-j628-q885-8gr5: Keycloak vulnerable to log Injection during WebAuthn authentication or registration
A flaw was found in keycloak 22.0.5. Errors in browser client during setup/auth with “Security Key login” (WebAuthn) are written into the form, send to Keycloak and logged without escaping allowing log injection.
Acknowledgements: Special thanks toTheresa Henze for reporting this issue and helping us improve our security.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2023-6484
Keycloak vulnerable to log Injection during WebAuthn authentication or registration
Low severity GitHub Reviewed Published Apr 17, 2024 in keycloak/keycloak • Updated Apr 17, 2024
Package
maven org.keycloak:keycloak-services (Maven)
Affected versions
< 22.0.9
>= 23.0.0, < 23.0.5
Patched versions
22.0.9
23.0.5
A flaw was found in keycloak 22.0.5. Errors in browser client during setup/auth with “Security Key login” (WebAuthn) are written into the form, send to Keycloak and logged without escaping allowing log injection.
Acknowledgements:
Special thanks toTheresa Henze for reporting this issue and helping us improve our security.
References
- GHSA-j628-q885-8gr5
Published to the GitHub Advisory Database
Apr 17, 2024
Last updated
Apr 17, 2024
Related news
Red Hat Security Advisory 2024-1868-03 - An update is now available for Red Hat build of Keycloak. Issues addressed include bypass, cross site scripting, and denial of service vulnerabilities.
Red Hat Security Advisory 2024-1865-03 - Red Hat Single Sign-On 7.6.8 Operator enhancement and security update.
Red Hat Security Advisory 2024-0804-03 - A security update is now available for Red Hat Single Sign-On 7.6 from the Customer Portal. Issues addressed include bypass, cross site scripting, and open redirection vulnerabilities.
Red Hat Security Advisory 2024-0801-03 - A new image is available for Red Hat Single Sign-On 7.6.7, running on OpenShift Container Platform 3.10 and 3.11, and 4.3. Issues addressed include bypass, cross site scripting, and open redirection vulnerabilities.
Red Hat Security Advisory 2024-0800-03 - New Red Hat Single Sign-On 7.6.7 packages are now available for Red Hat Enterprise Linux 9. Issues addressed include bypass, cross site scripting, and open redirection vulnerabilities.
Red Hat Security Advisory 2024-0799-03 - New Red Hat Single Sign-On 7.6.7 packages are now available for Red Hat Enterprise Linux 8. Issues addressed include bypass, cross site scripting, and open redirection vulnerabilities.
Red Hat Security Advisory 2024-0798-03 - New Red Hat Single Sign-On 7.6.7 packages are now available for Red Hat Enterprise Linux 7. Issues addressed include bypass, cross site scripting, and open redirection vulnerabilities.