New: Corgea AI Pentesting — autonomous penetration testing in hours, not weeks
HIGH 8.7 Maven

Keycloak vulnerable to user impersonation via stolen UUID code

GHSA-9g98-5mj6-f9mv · CVE-2023-0264

Published · Modified

Description

Keycloak's OpenID Connect user authentication was found to incorrectly authenticate requests. An authenticated attacker who could also obtain a certain piece of info from a user request, from a victim within the same realm, could use that data to impersonate the victim and generate new session tokens.

Ready to move

Start Securing

Free, no credit card | First findings in minutes