{ "threat_severity" : "Moderate", "public_date" : "2024-04-16T00:00:00Z", "bugzilla" : { "description" : "keycloak: Authorization Bypass", "id" : "2253116", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2253116" }, "cvss3" : { "cvss3_base_score" : "5.4", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "status" : "verified" }, "cwe" : "CWE-625", "details" : [ "A flaw was found in the Keycloak package. This issue occurs due to a permissive regular expression hardcoded for filtering which allows hosts to register a dynamic client. A malicious user with enough information about the environment could jeopardize an environment with this specific Dynamic Client Registration and TrustedDomain configuration previously unauthorized.", "A flaw was found in the Keycloak package. This issue occurs due to a permissive regular expression hardcoded for filtering which allows hosts to register a dynamic client. A malicious user with enough information about the environment could jeopardize an environment with this specific Dynamic Client Registration and TrustedDomain configuration previously unauthorized." ], "statement" : "Due to the high complexity of this attack, Red Hat considers this a Moderate impact.", "acknowledgement" : "Red Hat would like to thank Bastian Kanbach (Secure Systems DE [bastian.kanbach@securesystems.de]) for reporting this issue.", "affected_release" : [ { "product_name" : "Red Hat build of Keycloak 22", "release_date" : "2024-04-16T00:00:00Z", "advisory" : "RHSA-2024:1867", "cpe" : "cpe:/a:redhat:build_keycloak:22::el9", "package" : "rhbk/keycloak-operator-bundle:22.0.10-1" }, { "product_name" : "Red Hat build of Keycloak 22", "release_date" : "2024-04-16T00:00:00Z", "advisory" : "RHSA-2024:1867", "cpe" : "cpe:/a:redhat:build_keycloak:22::el9", "package" : "rhbk/keycloak-rhel9:22-13" }, { "product_name" : "Red Hat build of Keycloak 22", "release_date" : "2024-04-16T00:00:00Z", "advisory" : "RHSA-2024:1867", "cpe" : "cpe:/a:redhat:build_keycloak:22::el9", "package" : "rhbk/keycloak-rhel9-operator:22-16" }, { "product_name" : "Red Hat build of Keycloak 22.0.10", "release_date" : "2024-04-16T00:00:00Z", "advisory" : "RHSA-2024:1868", "cpe" : "cpe:/a:redhat:build_keycloak:22", "package" : "keycloak-core" }, { "product_name" : "Red Hat Single Sign-On 7.6 for RHEL 7", "release_date" : "2024-04-16T00:00:00Z", "advisory" : "RHSA-2024:1860", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7", "package" : "rh-sso7-keycloak-0:18.0.13-1.redhat_00001.1.el7sso" }, { "product_name" : "Red Hat Single Sign-On 7.6 for RHEL 8", "release_date" : "2024-04-16T00:00:00Z", "advisory" : "RHSA-2024:1861", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8", "package" : "rh-sso7-keycloak-0:18.0.13-1.redhat_00001.1.el8sso" }, { "product_name" : "Red Hat Single Sign-On 7.6 for RHEL 9", "release_date" : "2024-04-16T00:00:00Z", "advisory" : "RHSA-2024:1862", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9", "package" : "rh-sso7-keycloak-0:18.0.13-1.redhat_00001.1.el9sso" }, { "product_name" : "RHEL-8 based Middleware Containers", "release_date" : "2024-04-16T00:00:00Z", "advisory" : "RHSA-2024:1864", "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8", "package" : "rh-sso-7/sso76-openshift-rhel8:7.6-46" }, { "product_name" : "RHSSO 7.6.8", "release_date" : "2024-04-16T00:00:00Z", "advisory" : "RHSA-2024:1866", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6", "package" : "rh-sso7-keycloak" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-6544\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-6544" ], "name" : "CVE-2023-6544", "mitigation" : { "value" : "No mitigation is currently available for this flaw.", "lang" : "en:us" }, "csaw" : false }