CVE-2023-6484: Keycloak vulnerable to log Injection during WebAuthn authentication or registration

April 17, 2024

A flaw was found in keycloak 22.0.5. Errors in browser client during setup/auth with “Security Key login” (WebAuthn) are written into the form, send to Keycloak and logged without escaping allowing log injection.

Acknowledgements: Special thanks toTheresa Henze for reporting this issue and helping us improve our security.

References

github.com/advisories/GHSA-j628-q885-8gr5
github.com/keycloak/keycloak
github.com/keycloak/keycloak/security/advisories/GHSA-j628-q885-8gr5
nvd.nist.gov/vuln/detail/CVE-2023-6484

Detect and mitigate CVE-2023-6484 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →