CVE-2023-4918

Name of the Vulnerable Software and Affected Versions Keycloak (affected versions not specified)

Description The issue is related to the transmission of data in plain text, allowing a remote attacker to gain access to user credentials. When a user registers through the registration flow, the password and password-confirm fields from the form are stored as regular user attributes. All users and clients with proper rights and roles can read these attributes, enabling a malicious user with minimal access to retrieve users' passwords in clear text. This jeopardizes the environment.

Recommendations For all affected versions, disable self-registration for users in all realms until a patch is available. As a temporary workaround, consider restricting access to user attributes to minimize the risk of exploitation. Avoid using the password and password-confirm fields in the registration flow until the issue is resolved.