CVE-2023-4918: Keycloak vulnerable to Plaintext Storage of User Password
(updated )
A flaw was found in the Keycloak package, more specifically org.keycloak.userprofile. When a user registers itself through registration flow, the “password” and “password-confirm” field from the form will occur as regular user attributes. All users and clients with proper rights and roles are able to read users attributes, allowing a malicious user with minimal access to retrieve the users passwords in clear text, jeopardizing their environment.
References
Detect and mitigate CVE-2023-4918 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →