Keycloak: Impersonation and lockout possible through incorrect handling of email trust

GHSA-c7xw-p58w-h6fj · CVE-2023-0105

Published Jul 18, 2023 · Modified Feb 16, 2024

Description

Impersonation and lockout are possible due to email trust not being handled correctly in Keycloak. Since the verified state is not reset when the email changes, it is possible for users to shadow others with the same email and lock out or impersonate them.

References

WEB https://github.com/keycloak/keycloak/security/advisories/GHSA-c7xw-p58w-h6fj
WEB https://github.com/keycloak/keycloak/commit/87a50d3ba790b049e436c9925874f9b418af7988
WEB https://access.redhat.com/security/cve/CVE-2023-0105
WEB https://bugzilla.redhat.com/show_bug.cgi?id=2158910
PACKAGE https://github.com/keycloak/keycloak

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes