CVE: CVE-2023-2422

Descrizione: A flaw was found in Keycloak. A Keycloak server configured to support mTLS authentication for OAuth/OpenID clients does not properly verify the client certificate chain. A client that possesses a proper certificate can authorize itself as any other client, therefore, access data that belongs to other clients.

Vettore di attacco CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N

Riferimenti esterni

• https://access.redhat.com/errata/RHSA-2023:3883
• https://access.redhat.com/errata/RHSA-2023:3884
• https://access.redhat.com/errata/RHSA-2023:3885
• https://access.redhat.com/errata/RHSA-2023:3888
• https://access.redhat.com/errata/RHSA-2023:3892
• https://access.redhat.com/security/cve/CVE-2023-2422
• https://bugzilla.redhat.com/show_bug.cgi?id=2191668

Prodotti interessati

• Red Hat – Red Hat Single Sign-On 7
• Red Hat – Red Hat Single Sign-On 7.6 for RHEL 7
• Red Hat – Red Hat Single Sign-On 7.6 for RHEL 8
• Red Hat – Red Hat Single Sign-On 7.6 for RHEL 9
• Red Hat – RHEL-8 based Middleware Containers

Relazioni con altri prodotti

Produttore:Red Hat
Prodotto: Red Hat Single Sign-On 7
Anno: 2023
CWE: CWE-295
CVSS: 0.0

Produttore:Red Hat
Prodotto: Red Hat Single Sign-On 7.6 for RHEL 7
Anno: 2023
CWE: CWE-295
CVSS: 0.0

Produttore:Red Hat
Prodotto: Red Hat Single Sign-On 7.6 for RHEL 8
Anno: 2023
CWE: CWE-295
CVSS: 0.0

Produttore:Red Hat
Prodotto: Red Hat Single Sign-On 7.6 for RHEL 9
Anno: 2023
CWE: CWE-295
CVSS: 0.0

Produttore:Red Hat
Prodotto: RHEL-8 based Middleware Containers
Anno: 2023
CWE: CWE-295
CVSS: 0.0

Ulteriori risorse disponibili

• Vulnerabilità scoperte nello stesso anno (2023)