A flaw was found in Keycloak. A Keycloak server configured to support mTLS authentication for OAuth/OpenID clients does not properly verify the client certificate chain. A client that possesses a proper certificate can authorize itself as any other client, therefore, access data that belongs to other clients.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
redhat keycloak - |
||
redhat openshift_container_platform 4.9 |
||
redhat openshift_container_platform 4.10 |
||
redhat openshift_container_platform 4.11 |
||
redhat openshift_container_platform 4.12 |
||
redhat single_sign-on 7.6 |