GMS-2023-37: Keycloak has lack of validation of access token on client registrations endpoint

January 12, 2023

When a service account with the create-client or manage-clients role can use the client-registration endpoints to create/manage clients with an access token.

If the access token is leaked, there is an option to revoke the specific token. However, the check is not performed in client-registration endpoints.

References

github.com/advisories/GHSA-v436-q368-hvgg
github.com/keycloak/keycloak/security/advisories/GHSA-v436-q368-hvgg

Code Behaviors & Features

Detect and mitigate GMS-2023-37 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →