medium
6.5
CWE
295
Advisory Published
Advisory Published
Updated

CVE-2023-1664

First published: Mon Mar 27 2023(Updated: )

## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-5cc8-pgp5-7mpm. This link is maintained to preserve external references. ## Original Advisory A flaw was found in Keycloak. This flaw depends on a non-default configuration "Revalidate Client Certificate" to be enabled and the reverse proxy is not validating the certificate before Keycloak. Using this method an attacker may choose the certificate which will be validated by the server. If this happens and the KC_SPI_TRUSTSTORE_FILE_FILE variable is missing/misconfigured, any trustfile may be accepted with the logging information of "Cannot validate client certificate trust: Truststore not available". This may not impact availability as the attacker would have no access to the server, but consumer applications Integrity or Confidentiality may be impacted considering a possible access to them. Considering the environment is correctly set to use "Revalidate Client Certificate" this flaw is avoidable.

Credit: secalert@redhat.com secalert@redhat.com

Affected SoftwareAffected VersionHow to fix
Redhat Keycloak
Redhat Single Sign-on=7.0
Redhat Build Of Quarkus
Redhat Jboss A-mq=7
Redhat Migration Toolkit For Runtimes
redhat/rh-sso7-keycloak<0:18.0.8-1.redhat_00001.1.el7
0:18.0.8-1.redhat_00001.1.el7
redhat/rh-sso7-keycloak<0:18.0.8-1.redhat_00001.1.el8
0:18.0.8-1.redhat_00001.1.el8
redhat/rh-sso7-keycloak<0:18.0.8-1.redhat_00001.1.el9
0:18.0.8-1.redhat_00001.1.el9
maven/org.keycloak:keycloak-core<=21.1.1
redhat/keycloak-core<21.1.2
21.1.2

Remedy

Make sure KC_SPI_TRUSTSTORE_FILE_FILE is correctly set and the logs are not reporting the "Cannot validate client certificate trust: Truststore not available" after an attempt to explore the vulnerability. Note this message may happen under other scenarios and reasons but the expected behavior would be that a non-valid certificate to pass.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

  • What is the vulnerability ID of this Keycloak flaw?

    The vulnerability ID of this Keycloak flaw is CVE-2023-1664.

  • How can an attacker exploit this vulnerability?

    An attacker can exploit this vulnerability by enabling the non-default configuration 'Revalidate Client Certificate' and bypassing the certificate validation process.

  • What versions of Keycloak are affected by this vulnerability?

    Keycloak versions up to and including 21.1.1 are affected by this vulnerability.

  • What is the severity of CVE-2023-1664?

    CVE-2023-1664 has a severity rating of 6.5 (Medium).

  • Where can I find more information about CVE-2023-1664?

    You can find more information about CVE-2023-1664 on the NIST website and the Red Hat Bugzilla and Security Advisory.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203