CVE-2023-1664Improper Certificate Validation in Redhat Keycloak

CWE-295Improper Certificate Validation6 documents5 sources
Severity
6.5MEDIUMNVD
EPSS
0.3%
top 51.21%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Redhat KeycloakRedhat Jboss A-mqRedhat Single Sign-on
Timeline
PublishedMay 26
Latest updateSep 18

Description

A flaw was found in Keycloak. This flaw depends on a non-default configuration "Revalidate Client Certificate" to be enabled and the reverse proxy is not validating the certificate before Keycloak. Using this method an attacker may choose the certificate which will be validated by the server. If this happens and the KC_SPI_TRUSTSTORE_FILE_FILE variable is missing/misconfigured, any trustfile may be accepted with the logging information of "Cannot validate client certificate trust: Truststore not

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages3 packages

CVEListV5redhat/keycloakNA

🔴Vulnerability Details

3
OSV
Keycloak Untrusted Certificate Validation vulnerability2023-06-30
GHSA
Keycloak Untrusted Certificate Validation vulnerability2023-06-30
CVEList
CVE-2023-1664: A flaw was found in Keycloak2023-05-26

📋Vendor Advisories

2
Red Hat
kernel: f2fs: don't reset unchangable mount option in f2fs_remount()2025-09-18
Red Hat
keycloak: Untrusted Certificate Validation2023-03-27