CVE-2023-3597: Keycloak secondary factor bypass in step-up authentication

April 17, 2024

Keycloak does not correctly validate its client step-up authentication. A password-authed attacker could use this flaw to register a false second auth factor, alongside the existing one, to a targeted account. The second factor then permits step-up authentication.

References

github.com/advisories/GHSA-4f53-xh3v-g8x4
github.com/keycloak/keycloak
github.com/keycloak/keycloak/commit/aa634aee882892960a526e49982806e103c8a432
github.com/keycloak/keycloak/security/advisories/GHSA-4f53-xh3v-g8x4
nvd.nist.gov/vuln/detail/CVE-2023-3597

Code Behaviors & Features

Detect and mitigate CVE-2023-3597 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →