CVE-2023-0105 – org.keycloak:keycloak-core

Package

Manager: maven
Name: org.keycloak:keycloak-core
Vulnerable Version: >=0 <22.0.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00088 pctl0.26161

Details

Keycloak: Impersonation and lockout possible through incorrect handling of email trust Impersonation and lockout are possible due to email trust not being handled correctly in Keycloak. Since the verified state is not reset when the email changes, it is possible for users to shadow others with the same email and lock out or impersonate them.

Metadata

Created: 2023-07-18T19:12:28Z
Modified: 2023-07-18T19:12:28Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-c7xw-p58w-h6fj/GHSA-c7xw-p58w-h6fj.json
CWE IDs: ["CWE-287", "CWE-841"]
Alternative ID: GHSA-c7xw-p58w-h6fj
Finding: F006
Auto approve: 1