Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1jN3h3LXA1OHctaDZmas4AA0xs

Keycloak: Impersonation and lockout possible through incorrect handling of email trust

Impersonation and lockout are possible due to email trust not being handled correctly in Keycloak. Since the verified state is not reset when the email changes, it is possible for users to shadow others with the same email and lock out or impersonate them.

Permalink: https://github.com/advisories/GHSA-c7xw-p58w-h6fj
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jN3h3LXA1OHctaDZmas4AA0xs
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 1 year ago
Updated: over 1 year ago

CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Identifiers: GHSA-c7xw-p58w-h6fj, CVE-2023-0105
References:

Repository: https://github.com/keycloak/keycloak
Blast Radius: 19.9

Affected Packages

maven:org.keycloak:keycloak-core

Dependent packages: 376
Dependent repositories: 1,153
Downloads:
Affected Version Ranges: < 22.0.1
Fixed in: 22.0.1
All affected versions: 5.0.0, 6.0.0, 6.0.1, 7.0.0, 7.0.1, 8.0.0, 8.0.1, 8.0.2, 9.0.0, 9.0.2, 9.0.3, 10.0.0, 10.0.1, 10.0.2, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 13.0.0, 13.0.1, 14.0.0, 15.0.0, 15.0.1, 15.0.2, 15.1.0, 15.1.1, 16.0.0, 16.1.0, 16.1.1, 17.0.0, 17.0.1, 18.0.0, 18.0.1, 18.0.2, 19.0.0, 19.0.1, 19.0.2, 19.0.3, 20.0.0, 20.0.1, 20.0.2, 20.0.3, 20.0.4, 20.0.5, 21.0.0, 21.0.1, 21.0.2, 21.1.0, 21.1.1, 21.1.2, 22.0.0
All unaffected versions: 22.0.1, 22.0.2, 22.0.3, 22.0.4, 22.0.5, 23.0.0, 23.0.1, 23.0.2, 23.0.3, 23.0.4, 23.0.5, 23.0.6, 23.0.7, 24.0.0, 24.0.1, 24.0.2, 24.0.3, 24.0.4, 24.0.5, 25.0.0, 25.0.1, 25.0.2, 25.0.3, 25.0.4, 25.0.5, 25.0.6, 26.0.0, 26.0.1, 26.0.2, 26.0.3, 26.0.4, 26.0.5