Keycloak Revalidate Client Cert misconfig allows any truststore to be accepted
CVE-2023-1664 Published on May 26, 2023

A flaw was found in Keycloak. This flaw depends on a non-default configuration "Revalidate Client Certificate" to be enabled and the reverse proxy is not validating the certificate before Keycloak. Using this method an attacker may choose the certificate which will be validated by the server. If this happens and the KC_SPI_TRUSTSTORE_FILE_FILE variable is missing/misconfigured, any trustfile may be accepted with the logging information of "Cannot validate client certificate trust: Truststore not available". This may not impact availability as the attacker would have no access to the server, but consumer applications Integrity or Confidentiality may be impacted considering a possible access to them. Considering the environment is correctly set to use "Revalidate Client Certificate" this flaw is avoidable.

Github Repository NVD

Vulnerability Analysis

CVE-2023-1664 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
LOW
Availability Impact:
NONE

Weakness Type

Improper Certificate Validation

The software does not validate, or incorrectly validates, a certificate. When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client. The software might connect to a malicious host while believing it is a trusted host, or the software might be deceived into accepting spoofed data that appears to originate from a trusted host.


Products Associated with CVE-2023-1664

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2023-1664 are published in these products:

Red Hat Keycloak
 
Red Hat Single Sign On
 
Red Hat Build Of Quarkus
 
Red Hat Jboss A Mq
 
Red Hat Migration Toolkit For Runtimes
 

Vulnerable Packages

The following package name and versions may be associated with CVE-2023-1664

Package Manager Vulnerable Package Versions Fixed In
maven org.keycloak:keycloak-core < 21.1.2 21.1.2

Exploit Probability

EPSS
0.24%
Percentile
46.65%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.