Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-4f53-xh3v-g8x4: Keycloak secondary factor bypass in step-up authentication

Keycloak does not correctly validate its client step-up authentication. A password-authed attacker could use this flaw to register a false second auth factor, alongside the existing one, to a targeted account. The second factor then permits step-up authentication.

ghsa
#git#java#auth#maven
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2023-3597

Keycloak secondary factor bypass in step-up authentication

Moderate severity GitHub Reviewed Published Apr 17, 2024 in keycloak/keycloak • Updated Apr 17, 2024

Package

maven org.keycloak:keycloak-services (Maven)

Affected versions

< 22.0.10

>= 23.0.0, < 24.0.3

Patched versions

22.0.10

24.0.3

Keycloak does not correctly validate its client step-up authentication. A password-authed attacker could use this flaw to register a false second auth factor, alongside the existing one, to a targeted account. The second factor then permits step-up authentication.

References

  • GHSA-4f53-xh3v-g8x4
  • keycloak/keycloak@aa634ae

Published to the GitHub Advisory Database

Apr 17, 2024

Last updated

Apr 17, 2024

Related news

Red Hat Security Advisory 2024-1868-03

Red Hat Security Advisory 2024-1868-03 - An update is now available for Red Hat build of Keycloak. Issues addressed include bypass, cross site scripting, and denial of service vulnerabilities.