GHSA-9g98-5mj6-f9mv

Source

https://github.com/advisories/GHSA-9g98-5mj6-f9mv

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-9g98-5mj6-f9mv/GHSA-9g98-5mj6-f9mv.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-9g98-5mj6-f9mv

Aliases

CVE-2023-0264

Related

CGA-w6fw-p4v2-p4fj

Published

2023-03-02T23:25:43Z

Modified

2024-02-16T08:22:45.403736Z

Severity

8.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N CVSS Calculator

Summary

Keycloak vulnerable to user impersonation via stolen UUID code

Details

Keycloak's OpenID Connect user authentication was found to incorrectly authenticate requests. An authenticated attacker who could also obtain a certain piece of info from a user request, from a victim within the same realm, could use that data to impersonate the victim and generate new session tokens.

Database specific

{
    "nvd_published_at": "2023-08-04T18:15:11Z",
    "cwe_ids": [
        "CWE-287",
        "CWE-345"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-02T23:25:43Z"
}

References

Affected packages

Maven / org.keycloak:keycloak-services

Package

Name: org.keycloak:keycloak-services; View open source insights on deps.dev
Purl: pkg:maven/org.keycloak/keycloak-services

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

21.0.1

Affected versions

1.*

1.0-alpha-1

1.0-alpha-1-12062013

1.0-alpha-2

1.0-alpha-3

1.0-alpha-4

1.0-beta-1

1.0-beta-1-20150521

1.0-beta-1-20150523

1.0-beta-2

1.0-beta-3

1.0-beta-4

1.0-rc-1

1.0-rc-2

1.0-final

1.0.1.Final

1.0.2.Final

1.0.3.Final

1.0.4.Final

1.0.5.Final

1.1.0.Beta1

1.1.0.Beta2

1.1.0.Final

1.1.1.Final

1.2.0.Beta1

1.2.0.CR1

1.2.0.Final

1.3.0.Final

1.3.1.Final

1.4.0.Final

1.5.0-Final

1.5.0.Final

1.5.1.Final

1.6.0.Final

1.6.1.Final

1.7.0.CR1

1.7.0.Final

1.8.0.Alpha1

1.8.0.CR1

1.8.0.CR2

1.8.0.CR3

1.8.0.Final

1.8.1.Final

1.9.0.CR1

1.9.0.Final

1.9.1.Final

1.9.2.Final

1.9.3.Final

1.9.4.Final

1.9.5.Final

1.9.7.Final

1.9.8.Final

2.*

2.0.0.CR1

2.0.0.Final

2.1.0.CR1

2.1.0.Final

2.2.0.CR1

2.2.0.Final

2.2.1.Final

2.3.0.CR1

2.3.0.Final

2.4.0.CR1

2.4.0.Final

2.5.0.CR1

2.5.0.Final

2.5.1.Final

2.5.4.Final

2.5.5.Final

3.*

3.0.0.CR1

3.0.0.Final

3.1.0.CR1

3.1.0.Final

3.2.0.CR1

3.2.0.Final

3.2.1.Final

3.3.0.CR1

3.3.0.CR2

3.3.0.Final

3.4.0.CR1

3.4.0.Final

3.4.1.CR1

3.4.1.Final

3.4.2.Final

3.4.3.Final

4.*

4.0.0.Beta1

4.0.0.Beta2

4.0.0.Beta3

4.0.0.Final

4.1.0.Final

4.2.0.Final

4.2.1.Final

4.3.0.Final

4.4.0.Final

4.5.0.Final

4.6.0.Final

4.7.0.Final

4.8.0.Final

4.8.1.Final

4.8.2.Final

4.8.3.Final

5.*

5.0.0

6.*

6.0.0

6.0.1

7.*

7.0.0

7.0.1

8.*

8.0.0

8.0.1

8.0.2

9.*

9.0.0

9.0.2

9.0.3

10.*

10.0.0

10.0.1

10.0.2

11.*

11.0.0

11.0.1

11.0.2

11.0.3

12.*

12.0.0

12.0.1

12.0.2

12.0.3

12.0.4

13.*

13.0.0

13.0.1

14.*

14.0.0

15.*

15.0.0

15.0.1

15.0.2

15.1.0

15.1.1

16.*

16.0.0

16.1.0

16.1.1

17.*

17.0.0

17.0.1

18.*

18.0.0

18.0.1

18.0.2

19.*

19.0.0

19.0.1

19.0.2

19.0.3

20.*

20.0.0

20.0.1

20.0.2

20.0.3

20.0.4

20.0.5

21.*

21.0.0