Benjamin Taylor

**Name of the Vulnerable Software and Affected Versions** DuoUniversalKeycloakAuthenticator version 1.0.7 **Description** An information disclosure vulnerability exists in the challenge functionality of the DuoUniversalKeycloakAuthenticator plugin. A specially crafted HTTP request can lead to a disclosure of sensitive information. This issue is triggered when a user logs into Keycloak using the DuoUniversalKeycloakAuthenticator plugin. **Recommendations** For DuoUniversalKeycloakAuthenticator version 1.0.7, consider disabling the challenge functionality of the plugin until a patch is available to prevent the disclosure of sensitive information. Restrict access to the plugin to minimize the risk of exploitation. Avoid using the DuoUniversalKeycloakAuthenticator plugin for user login to Keycloak until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.