Description
A flaw was found in all versions of Keycloak before 10.0.0, where the NodeJS adapter did not support the verify-token-audience. This flaw results in some users having access to sensitive information outside of their permissions.
Remediation
References
https://bugzilla.redhat.com/show_bug.cgi?id=1790759
Related Vulnerabilities
CVE-2023-25500 Vulnerability in maven package com.vaadin:vaadin
CVE-2021-33604 Vulnerability in maven package com.vaadin:flow-server
CVE-2022-36098 Vulnerability in maven package org.xwiki.platform:xwiki-platform-mentions-ui
CVE-2022-4361 Vulnerability in maven package org.keycloak:keycloak-services