A flaw was found in Keycloak. This issue may allow an attacker to steal authorization codes or tokens from clients using a wildcard in the JARM response mode "form_post.jwt" which could be used to bypass the security patch implemented to address CVE-2023-6134.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Redhat
  • Build Keycloak
  • Keycloak
  • Red Hat Single Sign On
  • Rhosemc
  • Single Sign-on

Configuration 1 [-]

cpe:2.3:a:redhat:keycloak:-:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*
Package CPE Advisory Released Date
Red Hat build of Keycloak 22
rhbk/keycloak-rhel9:22-7 cpe:/a:redhat:build_keycloak:22::el9 RHSA-2024:0100 2024-01-09T00:00:00Z
Red Hat build of Keycloak 22.0.8
keycloak-core cpe:/a:redhat:build_keycloak:22 RHSA-2024:0101 2024-01-09T00:00:00Z
Red Hat Single Sign-On 7
keycloak-core cpe:/a:redhat:red_hat_single_sign_on:7.6 RHSA-2024:0804 2024-02-13T00:00:00Z
Red Hat Single Sign-On 7.6 for RHEL 7
rh-sso7-keycloak-0:18.0.11-3.redhat_00001.1.el7sso cpe:/a:redhat:red_hat_single_sign_on:7.6::el7 RHSA-2024:0094 2024-01-09T00:00:00Z
rh-sso7-keycloak-0:18.0.12-1.redhat_00001.1.el7sso cpe:/a:redhat:red_hat_single_sign_on:7.6::el7 RHSA-2024:0798 2024-02-13T00:00:00Z
Red Hat Single Sign-On 7.6 for RHEL 8
rh-sso7-keycloak-0:18.0.11-3.redhat_00001.1.el8sso cpe:/a:redhat:red_hat_single_sign_on:7.6::el8 RHSA-2024:0095 2024-01-09T00:00:00Z
rh-sso7-keycloak-0:18.0.12-1.redhat_00001.1.el8sso cpe:/a:redhat:red_hat_single_sign_on:7.6::el8 RHSA-2024:0799 2024-02-13T00:00:00Z
Red Hat Single Sign-On 7.6 for RHEL 9
rh-sso7-keycloak-0:18.0.11-3.redhat_00001.1.el9sso cpe:/a:redhat:red_hat_single_sign_on:7.6::el9 RHSA-2024:0096 2024-01-09T00:00:00Z
rh-sso7-keycloak-0:18.0.12-1.redhat_00001.1.el9sso cpe:/a:redhat:red_hat_single_sign_on:7.6::el9 RHSA-2024:0800 2024-02-13T00:00:00Z
RHEL-8 based Middleware Containers
rh-sso-7/sso76-openshift-rhel8:7.6-39 cpe:/a:redhat:rhosemc:1.0::el8 RHSA-2024:0097 2024-01-09T00:00:00Z
rh-sso-7/sso76-openshift-rhel8:7.6-41 cpe:/a:redhat:rhosemc:1.0::el8 RHSA-2024:0801 2024-02-13T00:00:00Z
Single Sign-On 7.6.6
keycloak-core cpe:/a:redhat:red_hat_single_sign_on:7.6.6 RHSA-2024:0098 2024-01-09T00:00:00Z
References
Link Providers
https://access.redhat.com/errata/RHSA-2024:0094 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:0095 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:0096 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:0097 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:0098 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:0100 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:0101 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:0798 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:0799 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:0800 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:0801 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:0804 cve-icon cve-icon
https://access.redhat.com/security/cve/CVE-2023-6927 cve-icon cve-icon
https://bugzilla.redhat.com/show_bug.cgi?id=2255027 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2023-6927 cve-icon
https://www.cve.org/CVERecord?id=CVE-2023-6927 cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2023-12-18T22:59:07.495Z

Updated: 2024-09-16T16:29:35.123Z

Reserved: 2023-12-18T15:44:40.245Z

Link: CVE-2023-6927

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2023-12-18T23:15:10.027

Modified: 2024-02-14T03:15:14.550

Link: CVE-2023-6927

cve-icon Redhat

Severity : Moderate

Publid Date: 2023-12-18T00:00:00Z

Links: CVE-2023-6927 - Bugzilla