logo

Database

Insecure digital certificates In org.keycloak:keycloak-core

Description

Keycloak Untrusted Certificate Validation vulnerability A flaw was found in keycloak-core. This flaw considers the scenario when using X509 Client Certificate Authenticatior with the option "Revalidate Client Certificate". A user may be able to choose, if directly connect to keycloak (not passing via reverse proxy) a specific certificate. If there's a configuration error in KC_SPI_TRUSTSTORE_FILE_FILE the authenticator allows even with the "Cannot validate client certificate trust: Truststore not available" message as there's no certificate to trust against.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2023-16642. NVD-2023-16643. OSV-2023-16644. GHSA-5cc8-pgp5-7mpm5. GCVE-2023-16646. ACCESS-CVE-2023-1664

References

1. https://github.com/keycloak/keycloak/security/advisories/GHSA-5cc8-pgp5-7mpm2. https://bugzilla.redhat.com/show_bug.cgi?id=2182196&comment#0

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.