Fluid Attacks Database

Description

Keycloak: Impersonation and lockout possible through incorrect handling of email trust Impersonation and lockout are possible due to email trust not being handled correctly in Keycloak. Since the verified state is not reset when the email changes, it is possible for users to shadow others with the same email and lock out or impersonate them.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.keycloak:keycloak-parent	-	-
npm	keycloak-connect	-	-
maven	org.keycloak:keycloak-core	>=0 <22.0.1	22.0.1

Aliases

1. CVE-2023-01052. NVD-2023-01053. OSV-2023-01054. GHSA-c7xw-p58w-h6fj5. GCVE-2023-01056. ACCESS-CVE-2023-0105

References

1. https://github.com/keycloak/keycloak/security/advisories/GHSA-c7xw-p58w-h6fj2. https://github.com/keycloak/keycloak/commit/87a50d3ba790b049e436c9925874f9b418af79883. https://bugzilla.redhat.com/show_bug.cgi?id=2158910

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.