Tuan Tran

Name of the Vulnerable Software and Affected Versions: Keycloak version 12.0.0 Description: A flaw was found in Keycloak where re-authentication does not occur while updating the password. This flaw allows an attacker to take over an account if they can obtain temporary, physical access to a user’s browser. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. Recommendations: For Keycloak version 12.0.0, consider implementing additional authentication measures to prevent account takeover, such as requiring re-authentication before password updates. As a temporary workaround, restrict access to password update functionality until a patch is available.