CVE-2023-0264

A flaw was found in Keycloaks OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session tokens. This issue could impact confidentiality, integrity, and availability.

Published: Aug 4, 2023
Updated: May 10, 2024
CVE: CVE-2023-0264
GHSA: GHSA-9g98-5mj6-f9mv
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

CWEs:

OWASP TOP 10:

A2 - Broken Authentication

Affected Software
References

Software	From	Fixed in
org.keycloak / keycloak-services	-	21.0.1
redhat / keycloak	-	18.0.6
redhat / single_sign-on	-	7.6.2
redhat / openshift_container_platform	4.9	4.9.x
redhat / openshift_container_platform	4.10	4.10.x
redhat / openshift_container_platform_for_ibm_linuxone	4.9	4.9.x
redhat / openshift_container_platform_for_ibm_linuxone	4.10	4.10.x
redhat / openshift_container_platform_ibm_z_systems	4.9	4.9.x
redhat / openshift_container_platform_ibm_z_systems	4.10	4.10.x

Vulnerability Database

289,599

CVE-2023-0264