Keycloak 11.3 OAuth2 client_secret_jwt Auth Bypass
CVE-2023-40545 Published on February 6, 2024
PingFederate OAuth client_secret_jwt Authentication Bypass
Authentication bypass when an OAuth2 Client is using client_secret_jwt as its authentication method on affected 11.3 versions via specially crafted requests.
Vulnerability Analysis
CVE-2023-40545 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
Missing Authentication for Critical Function
The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Products Associated with CVE-2023-40545
stack.watch emails you whenever new vulnerabilities are published in Pingidentity Pingfederate or Red Hat Keycloak. Just hit a watch button to start following.
Affected Versions
Ping Identity PingFederate:- Version 11.3.0, <= 11.3.2 is affected.
- Version 11.3.0, <= 11.3.2 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.