GMS-2023-573: Keycloak vulnerable to user impersonation via stolen UUID code

August 4, 2023 (updated August 14, 2023)

Keycloak’s OpenID Connect user authentication was found to incorrectly authenticate requests. An authenticated attacker who could also obtain a certain piece of info from a user request, from a victim within the same realm, could use that data to impersonate the victim and generate new session tokens.

References

github.com/advisories/GHSA-9g98-5mj6-f9mv
github.com/keycloak/keycloak/commit/ec8109112e67208c13e13f6d1f8706a5a3ba8d4c
github.com/keycloak/keycloak/security/advisories/GHSA-9g98-5mj6-f9mv

Code Behaviors & Features

Detect and mitigate GMS-2023-573 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →