Skip to main content

Build Of Quarkus CVE-2023-1664

MEDIUM
Improper Certificate Validation (CWE-295)
2023-05-26 secalert@redhat.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
May 26, 2023 - 18:15 nvd
MEDIUM 6.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 92 maven packages depend on org.keycloak:keycloak-core (44 direct, 48 indirect)

Ecosystem-wide dependent count for version 21.1.2.

DescriptionNVD

A flaw was found in Keycloak. This flaw depends on a non-default configuration "Revalidate Client Certificate" to be enabled and the reverse proxy is not validating the certificate before Keycloak. Using this method an attacker may choose the certificate which will be validated by the server. If this happens and the KC_SPI_TRUSTSTORE_FILE_FILE variable is missing/misconfigured, any trustfile may be accepted with the logging information of "Cannot validate client certificate trust: Truststore not available". This may not impact availability as the attacker would have no access to the server, but consumer applications Integrity or Confidentiality may be impacted considering a possible access to them. Considering the environment is correctly set to use "Revalidate Client Certificate" this flaw is avoidable.

AnalysisAI

A flaw was found in Keycloak. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-295. A flaw was found in Keycloak. This flaw depends on a non-default configuration "Revalidate Client Certificate" to be enabled and the reverse proxy is not validating the certificate before Keycloak. Using this method an attacker may choose the certificate which will be validated by the server. If this happens and the KC_SPI_TRUSTSTORE_FILE_FILE variable is missing/misconfigured, any trustfile may be accepted with the logging information of "Cannot validate client certificate trust: Truststore not available". This may not impact availability as the attacker would have no access to the server, but consumer applications Integrity or Confidentiality may be impacted considering a possible access to them. Considering the environment is correctly set to use "Revalidate Client Certificate" this flaw is avoidable. Affected products include: Redhat Build Of Quarkus, Redhat Jboss A-Mq, Redhat Keycloak, Redhat Migration Toolkit For Runtimes, Redhat Single Sign-On.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2023-4853 HIGH POC
8.1 Sep 20

A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly whe

CVE-2022-4116 CRITICAL
9.8 Nov 22

A vulnerability was found in quarkus. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no

CVE-2023-2974 HIGH
8.1 Jul 04

A vulnerability was found in quarkus-core. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, l

CVE-2022-1011 HIGH
7.8 Mar 18

A use-after-free flaw was found in the Linux kernel’s FUSE filesystem in the way a user triggers write(). Rated high sev

CVE-2023-6394 HIGH
7.4 Dec 09

A flaw was found in Quarkus. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authenticati

CVE-2023-1108 HIGH
7.5 Sep 14

A flaw was found in undertow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authenticat

CVE-2022-1259 HIGH
7.5 Aug 31

A flaw was found in Undertow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authenticat

CVE-2021-20218 HIGH
7.4 Mar 16

A flaw was found in the fabric8 kubernetes-client in version 4.2.0 and after. Rated high severity (CVSS 7.4), this vulne

CVE-2023-0044 MEDIUM
6.1 Feb 23

If the Quarkus Form Authentication session cookie Path attribute is set to `/` then a cross-site attack may be initiated

CVE-2023-6393 MEDIUM
5.3 Dec 06

A flaw was found in the Quarkus Cache Runtime. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploita

CVE-2021-3642 MEDIUM
5.3 Aug 05

A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final

CVE-2021-3536 MEDIUM
4.8 May 20

A flaw was found in Wildfly in versions before 23.0.2.Final while creating a new role in domain mode via the admin conso

Share

CVE-2023-1664 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy