Headline
GHSA-4f53-xh3v-g8x4: Keycloak secondary factor bypass in step-up authentication
Keycloak does not correctly validate its client step-up authentication. A password-authed attacker could use this flaw to register a false second auth factor, alongside the existing one, to a targeted account. The second factor then permits step-up authentication.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2023-3597
Keycloak secondary factor bypass in step-up authentication
Moderate severity GitHub Reviewed Published Apr 17, 2024 in keycloak/keycloak • Updated Apr 17, 2024
Package
maven org.keycloak:keycloak-services (Maven)
Affected versions
< 22.0.10
>= 23.0.0, < 24.0.3
Patched versions
22.0.10
24.0.3
Keycloak does not correctly validate its client step-up authentication. A password-authed attacker could use this flaw to register a false second auth factor, alongside the existing one, to a targeted account. The second factor then permits step-up authentication.
References
- GHSA-4f53-xh3v-g8x4
- keycloak/keycloak@aa634ae
Published to the GitHub Advisory Database
Apr 17, 2024
Last updated
Apr 17, 2024
Related news
Red Hat Security Advisory 2024-1868-03 - An update is now available for Red Hat build of Keycloak. Issues addressed include bypass, cross site scripting, and denial of service vulnerabilities.