CVE-2023-2422 โ€” Improper Certificate Validation in Redhat Openshift Container Platform

CWE-295 โ€” Improper Certificate Validation5 documents5 sources
Severity
7.1HIGHNVD
CNA5.5
EPSS
0.3%
top 44.63%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Redhat Openshift Container PlatformRedhat Single Sign-on
Timeline
PublishedOct 4

Description

A flaw was found in Keycloak. A Keycloak server configured to support mTLS authentication for OAuth/OpenID clients does not properly verify the client certificate chain. A client that possesses a proper certificate can authorize itself as any other client, therefore, access data that belongs to other clients.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:NExploitability: 2.8 | Impact: 4.2

Affected Packages1 packages

โ–ถNVDredhat/single_sign-on7.6

Also affects: Openshift Container Platform 4.10, 4.11, 4.12, 4.9

๐Ÿ”ดVulnerability Details

3
CVEList
Keycloak: oauth client impersonationโ†—2023-10-04
โ–ถ
GHSA
Keycloak vulnerable to Improper Client Certificate Validation for OAuth/OpenID clientsโ†—2023-06-30
โ–ถ
OSV
Keycloak vulnerable to Improper Client Certificate Validation for OAuth/OpenID clientsโ†—2023-06-30
โ–ถ

๐Ÿ“‹Vendor Advisories

1
Red Hat
keycloak: oauth client impersonationโ†—2023-06-26
โ–ถ
CVE-2023-2422 โ€” Improper Certificate Validation | cvebase