CVE-2023-2422: Keycloak vulnerable to Improper Client Certificate Validation for OAuth/OpenID clients

October 4, 2023 (updated November 9, 2023)

When a Keycloak server is configured to support mTLS authentication for OAuth/OpenID clients, it does not properly verify the client certificate chain. A client that possesses a proper certificate can authorize itself as any other client and therefore access data that belongs to other clients.

References

github.com/advisories/GHSA-3qh5-qqj2-c78f
github.com/keycloak/keycloak/commit/5c6c55945a384bfd82e51283096204dcb6f63d91
github.com/keycloak/keycloak/security/advisories/GHSA-3qh5-qqj2-c78f

Detect and mitigate CVE-2023-2422 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →