CVE-2023-0105
MEDIUM6.5EPSS 0.20%Keycloak: Impersonation and lockout possible through incorrect handling of email trust
發布日:2023/7/18修改日:2024/2/16
描述
Impersonation and lockout are possible due to email trust not being handled correctly in Keycloak. Since the verified state is not reset when the email changes, it is possible for users to shadow others with the same email and lock out or impersonate them.
受影響套件(1)
- Maven/org.keycloak:keycloak-corefrom 0, < 22.0.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L |
參考連結(5)
- PATCHhttps://github.com/keycloak/keycloak
- WEBhttps://access.redhat.com/security/cve/CVE-2023-0105
- WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=2158910
- WEBhttps://github.com/keycloak/keycloak/commit/87a50d3ba790b049e436c9925874f9b418af7988
- WEBhttps://github.com/keycloak/keycloak/security/advisories/GHSA-c7xw-p58w-h6fj