CVE-2023-1664

Name of the Vulnerable Software and Affected Versions Keycloak (affected versions not specified)

Description The issue is related to errors in the certificate authentication procedure. An attacker may be able to choose a certificate that will be validated by the server if the "Revalidate Client Certificate" option is enabled and the reverse proxy does not validate the certificate before Keycloak. This could impact the confidentiality and integrity of protected information. The KC SPI TRUSTSTORE FILE FILE variable must be correctly configured to prevent any trustfile from being accepted.

Recommendations As a temporary workaround, consider disabling the "Revalidate Client Certificate" option until a proper configuration is in place. Ensure the KC SPI TRUSTSTORE FILE FILE variable is correctly configured to prevent trustfile acceptance issues. Restrict access to the Keycloak server to minimize the risk of exploitation, especially when using the X509 Client Certificate Authenticator. At the moment, there is no information about a newer version that contains a fix for this vulnerability.