[MAVEN:GHSA-9G98-5MJ6-F9MV] Keycloak vulnerable to user impersonation via stolen UUID code

Severity High

Affected Packages 1

Fixed Packages 1

CVEs 1

Keycloak's OpenID Connect user authentication was found to incorrectly authenticate requests. An authenticated attacker who could also obtain a certain piece of info from a user request, from a victim within the same realm, could use that data to impersonate the victim and generate new session tokens.

Package	Affected Version
pkg:maven/org.keycloak/keycloak-services	< 21.0.1

Package	Fixed Version
pkg:maven/org.keycloak/keycloak-services	= 21.0.1

ID: MAVEN:GHSA-9G98-5MJ6-F9MV
Severity: high
URL: https://github.com/advisories/GHSA-9g98-5mj6-f9mv
Published: 2023-03-02T23:25:43
(18 months ago)
Modified: 2023-11-07T05:05:49
(10 months ago)
Rights: Maven Security Team

Source	# ID	Name	URL
			https://github.com/keycloak/keycloak/security/advisories/GHSA-9g98-5mj6-f9mv
			https://github.com/keycloak/keycloak/commit/ec8109112e67208c13e13f6d1f8706a5a3ba8d4c
			https://nvd.nist.gov/vuln/detail/CVE-2023-0264
			https://access.redhat.com/security/cve/CVE-2023-0264
			https://github.com/advisories/GHSA-9g98-5mj6-f9mv

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/org.keycloak/keycloak-services	org.keycloak	keycloak-services	< 21.0.1
Fixed	pkg:maven/org.keycloak/keycloak-services	org.keycloak	keycloak-services	= 21.0.1

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date