PT-2023-16014 · Red Hat · Keycloak

Willem Noort

Publicado

2023-01-11

Atualizado

2023-07-18

CVE-2023-0105

CVSS v3.1

6.5

Média

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Name of the Vulnerable Software and Affected Versions Keycloak (affected versions not specified)

Description A flaw in Keycloak allows impersonation and lockout due to incorrect handling of email trust. This issue enables an attacker to shadow other users with the same email, potentially leading to lockout or impersonation. The problem arises because the verified state of an email is not reset when the email changes, allowing users to shadow others with the same email.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Improper Authentication

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-287CWE-841

Identificadores relacionados

CVE-2023-0105

GHSA-C7XW-P58W-H6FJ

GHSA-VHVQ-JH34-3FC8

RHSA-2023:7482

RHSA-2023:7483

RHSA-2023:7484

Produtos afetados

Keycloak

PT-2023-16014 · Red Hat · Keycloak

CVE-2023-0105

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 11