PT-2023-31270 · Duo · Duouniversalkeycloakauthenticator
Benjamin Taylor
·
Published
2023-12-23
·
Updated
2024-01-17
·
CVE-2023-49594
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
DuoUniversalKeycloakAuthenticator version 1.0.7
Description
An information disclosure vulnerability exists in the challenge functionality of the DuoUniversalKeycloakAuthenticator plugin. A specially crafted HTTP request can lead to a disclosure of sensitive information. This issue is triggered when a user logs into Keycloak using the DuoUniversalKeycloakAuthenticator plugin.
Recommendations
For DuoUniversalKeycloakAuthenticator version 1.0.7, consider disabling the challenge functionality of the plugin until a patch is available to prevent the disclosure of sensitive information. Restrict access to the plugin to minimize the risk of exploitation. Avoid using the DuoUniversalKeycloakAuthenticator plugin for user login to Keycloak until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Duouniversalkeycloakauthenticator