Keycloak has lack of validation of access token on client registrations endpoint

GHSA-v436-q368-hvgg · CVE-2023-0091

Published Jan 12, 2023 · Modified Nov 8, 2023

Description

When a service account with the create-client or manage-clients role can use the client-registration endpoints to create/manage clients with an access token.

If the access token is leaked, there is an option to revoke the specific token. However, the check is not performed in client-registration endpoints.

References

WEB https://github.com/keycloak/keycloak/security/advisories/GHSA-v436-q368-hvgg
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2023-0091
WEB https://access.redhat.com/security/cve/CVE-2023-0091
PACKAGE https://github.com/keycloak/keycloak

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes