GoogleOSV:GHSA-J628-Q885-8GR5Keycloak vulnerable to log Injection during WebAuthn authentication or registration
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
AI Score
Confidence
Low
EPSS
Percentile
17.1%
A flaw was found in keycloak 22.0.5. Errors in browser client during setup/auth with “Security Key login” (WebAuthn) are written into the form, send to Keycloak and logged without escaping allowing log injection.
Acknowledgements:
Special thanks toTheresa Henze for reporting this issue and helping us improve our security.
References
access.redhat.com/errata/RHSA-2024:0798
access.redhat.com/errata/RHSA-2024:0799
access.redhat.com/errata/RHSA-2024:0800
access.redhat.com/errata/RHSA-2024:0801
access.redhat.com/errata/RHSA-2024:0804
access.redhat.com/errata/RHSA-2024:1860
access.redhat.com/errata/RHSA-2024:1861
access.redhat.com/errata/RHSA-2024:1862
access.redhat.com/errata/RHSA-2024:1864
access.redhat.com/errata/RHSA-2024:1865
access.redhat.com/errata/RHSA-2024:1866
access.redhat.com/errata/RHSA-2024:1867
access.redhat.com/errata/RHSA-2024:1868
access.redhat.com/security/cve/CVE-2023-6484
bugzilla.redhat.com/show_bug.cgi?id=2248423
github.com/keycloak/keycloak
github.com/keycloak/keycloak/commit/110f64a8146d0817252f90cf4b5e6a62aa897aff
github.com/keycloak/keycloak/commit/f9049565a9a228faa08138b9269d66d3de6c7e9a
github.com/keycloak/keycloak/issues/25078
github.com/keycloak/keycloak/security/advisories/GHSA-j628-q885-8gr5
nvd.nist.gov/vuln/detail/CVE-2023-6484
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
AI Score
Confidence
Low
EPSS
Percentile
17.1%