{ "threat_severity" : "Low", "public_date" : "2023-11-29T00:00:00Z", "bugzilla" : { "description" : "keycloak: LDAP injection on username input", "id" : "2096994", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2096994" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status" : "verified" }, "cwe" : "CWE-20", "details" : [ "A flaw was found in the Keycloak package. This flaw allows an attacker to utilize an LDAP injection to bypass the username lookup or potentially perform other malicious actions.", "A flaw was found in the Keycloak package. This flaw allows an attacker to utilize an LDAP injection to bypass the username lookup or potentially perform other malicious actions." ], "acknowledgement" : "Red Hat would like to thank Konstantin Goldenberg (VHV) for reporting this issue.", "affected_release" : [ { "product_name" : "Red Hat Single Sign-On 7.6 for RHEL 7", "release_date" : "2024-01-09T00:00:00Z", "advisory" : "RHSA-2024:0094", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7", "package" : "rh-sso7-keycloak-0:18.0.11-3.redhat_00001.1.el7sso" }, { "product_name" : "Red Hat Single Sign-On 7.6 for RHEL 8", "release_date" : "2024-01-09T00:00:00Z", "advisory" : "RHSA-2024:0095", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8", "package" : "rh-sso7-keycloak-0:18.0.11-3.redhat_00001.1.el8sso" }, { "product_name" : "Red Hat Single Sign-On 7.6 for RHEL 9", "release_date" : "2024-01-09T00:00:00Z", "advisory" : "RHSA-2024:0096", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9", "package" : "rh-sso7-keycloak-0:18.0.11-3.redhat_00001.1.el9sso" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-2232\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-2232" ], "name" : "CVE-2022-2232", "mitigation" : { "value" : "This flaw requires a misconfiguration of the \"UUID LDAP Attribute\" values. When they are set to the standard entryUUID, objectGUID or nsuniqueid Keycloak is not vulnerable.", "lang" : "en:us" }, "csaw" : false }