(RHSA-2024:6501) Moderate: Red Hat build of Keycloak 22.0.12 Update

2024-09-0915:41:44

access.redhat.com

red hat

keycloak 22.0.12

single sign-on

security fixes

brute force protection

elytron saml adapters

ldap bind credentials

update

CVSS3

7.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

AI Score

7.1

Confidence

High

JSON

Red Hat build of Keycloak 22.0.12 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
This release of Red Hat build of Keycloak 22.0.12 serves as a replacement for Red Hat Single Sign-On 7.6, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.

Security fixes:

potential bypass of brute force protection (CVE-2024-4629)
session fixation in elytron saml adapters (CVE-2024-7341)
Leak of configured LDAP bind credentials through the Keycloak admin console (CVE-2024-5967)