Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jN3h3LXA1OHctaDZmas4AA0xs
Keycloak: Impersonation and lockout possible through incorrect handling of email trust
Impersonation and lockout are possible due to email trust not being handled correctly in Keycloak. Since the verified state is not reset when the email changes, it is possible for users to shadow others with the same email and lock out or impersonate them.
Permalink: https://github.com/advisories/GHSA-c7xw-p58w-h6fjJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jN3h3LXA1OHctaDZmas4AA0xs
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 10 months ago
Updated: 10 months ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Identifiers: GHSA-c7xw-p58w-h6fj, CVE-2023-0105
References:
- https://github.com/keycloak/keycloak/security/advisories/GHSA-c7xw-p58w-h6fj
- https://github.com/keycloak/keycloak/commit/87a50d3ba790b049e436c9925874f9b418af7988
- https://access.redhat.com/security/cve/CVE-2023-0105
- https://bugzilla.redhat.com/show_bug.cgi?id=2158910
- https://github.com/advisories/GHSA-c7xw-p58w-h6fj
Blast Radius: 19.9
Affected Packages
maven:org.keycloak:keycloak-core
Dependent packages: 376Dependent repositories: 1,153
Downloads:
Affected Version Ranges: < 22.0.1
Fixed in: 22.0.1
All affected versions: 5.0.0, 6.0.0, 6.0.1, 7.0.0, 7.0.1, 8.0.0, 8.0.1, 8.0.2, 9.0.0, 9.0.2, 9.0.3, 10.0.0, 10.0.1, 10.0.2, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 13.0.0, 13.0.1, 14.0.0, 15.0.0, 15.0.1, 15.0.2, 15.1.0, 15.1.1, 16.0.0, 16.1.0, 16.1.1, 17.0.0, 17.0.1, 18.0.0, 18.0.1, 18.0.2, 19.0.0, 19.0.1, 19.0.2, 19.0.3, 20.0.0, 20.0.1, 20.0.2, 20.0.3, 20.0.4, 20.0.5, 21.0.0, 21.0.1, 21.0.2, 21.1.0, 21.1.1, 21.1.2, 22.0.0
All unaffected versions: 22.0.1, 22.0.2, 22.0.3, 22.0.4, 22.0.5, 23.0.0, 23.0.1, 23.0.2, 23.0.3