CVE-2023-0091

Name of the Vulnerable Software and Affected Versions Keycloak (affected versions not specified)

Description A flaw was found in Keycloak where it did not properly check client tokens for possible revocation in its client credential flow. This allows an attacker to access or modify potentially sensitive information. Specifically, when a service account with the create-client or manage-clients role uses the client-registration endpoints to create or manage clients with an access token, and if the access token is leaked, there is an option to revoke the specific token. However, the check is not performed in client-registration endpoints, such as "/api/v1/client-registration".

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.