CGA-v9p7-g7qm-vgf7

Published

Last updated

https://images.chainguard.dev/security/CGA-v9p7-g7qm-vgf7

Package

keycloak

Latest Update

Fixed

Fixed Version

24.0.3-r0

Aliases

CVE-2023-6787
GHSA-c9h6-v78w-52wj

Severity

6.5

Medium

CVSS V3

Summary

Keycloak vulnerable to session hijacking via re-authentication

Description

A flaw was found in Keycloak. An active keycloak session can be hijacked by initiating a new authentication (having the query parameter prompt=login) and forcing the user to enter his credentials once again. If the user cancels this re-authentication by clicking Restart login, the account takeover could take place as the new session, with a different SUB, will have the same SID as the previous session.

References

https://nvd.nist.gov/vuln/detail/CVE-2023-6787
https://github.com/advisories/GHSA-c9h6-v78w-52wj
https://github.com/keycloak/keycloak/security/advisories/GHSA-c9h6-v78w-52wj
https://access.redhat.com/errata/RHSA-2024:1867
https://access.redhat.com/errata/RHSA-2024:1868
https://access.redhat.com/security/cve/CVE-2023-6787
https://bugzilla.redhat.com/show_bug.cgi?id=2254375
https://github.com/keycloak/keycloak

Updates

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

CGA-v9p7-g7qm-vgf7

Severity

Summary

Description

References

Updates

Product

Why Chainguard

Customers

Company

Resources