We found results for “”
CVE-2023-3597
Good to know:
Date: April 25, 2024
A flaw was found in Keycloak, where it does not correctly validate its client step-up authentication in org.keycloak.authentication. This flaw allows a remote user authenticated with a password to register a false second authentication factor along with an existing one and bypass authentication.
Language: Java
Severity Score
Related Resources (7)
Severity Score
Weakness Type (CWE)
Authentication Issues
CWE-287Top Fix
Upgrade Version
Upgrade to version org.keycloak:keycloak-services:22.0.10,24.0.3, org.keycloak:keycloak-server-spi:22.0.10,24.0.3
CVSS v3.1
Base Score: |
|
---|---|
Attack Vector (AV): | NETWORK |
Attack Complexity (AC): | HIGH |
Privileges Required (PR): | LOW |
User Interaction (UI): | NONE |
Scope (S): | UNCHANGED |
Confidentiality (C): | LOW |
Integrity (I): | LOW |
Availability (A): | LOW |