Description

A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this vulnerability is to data confidentiality.

Remediation

References

https://bugzilla.redhat.com/show_bug.cgi?id=1906797

Related Vulnerabilities

CVE-2023-29207 Vulnerability in maven package org.xwiki.platform:xwiki-platform-flamingo-skin-resources

CVE-2023-30428 Vulnerability in maven package org.apache.pulsar:pulsar-broker

CVE-2023-50720 Vulnerability in maven package org.xwiki.platform:xwiki-platform-search-solr-api

CVE-2023-29471 Vulnerability in maven package com.typesafe.akka:akka-stream-kafka_2.13

CVE-2018-14041 Vulnerability in maven package org.webjars:bootstrap

Severity

High

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Tags

Issue Tracking Vendor Advisory NVD-CWE-noinfo