CVE-2023-4918 - OpenCVE

A flaw was found in the Keycloak package, more specifically org.keycloak.userprofile. When a user registers itself through registration flow, the "password" and "password-confirm" field from the form will occur as regular user attributes. All users and clients with proper rights and roles are able to read users attributes, allowing a malicious user with minimal access to retrieve the users passwords in clear text, jeopardizing their environment.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Redhat	Keycloak

Configuration 1 [-]

cpe:2.3:a:redhat:keycloak:22.0.2:*:*:*:*:*:*:*

References

Link	Resource
https://access.redhat.com/security/cve/CVE-2023-4918	Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2238588	Issue Tracking Vendor Advisory
https://github.com/keycloak/keycloak/security/advisories/GHSA-5q66-v53q-pm35	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2023-09-12T19:24:59.955Z

Updated: 2024-01-23T00:56:17.069Z

Reserved: 2023-09-12T15:02:05.129Z

Link: CVE-2023-4918

JSON object: View

NVD Information

Status : Modified

Published: 2023-09-12T20:15:10.390

Modified: 2023-11-07T04:23:09.847

Link: CVE-2023-4918

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-4918", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2023-09-12T15:02:05.129Z", "datePublished": "2023-09-12T19:24:59.955Z", "dateUpdated": "2024-01-23T00:56:17.069Z"}, "containers": {"cna": {"title": "Plaintext storage of user password", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in the Keycloak package, more specifically org.keycloak.userprofile. When a user registers itself through registration flow, the \"password\" and \"password-confirm\" field from the form will occur as regular user attributes. All users and clients with proper rights and roles are able to read users attributes, allowing a malicious user with minimal access to retrieve the users passwords in clear text, jeopardizing their environment."}], "affected": [{"product": "keycloak", "vendor": "n/a", "versions": [{"version": "22.0.3", "status": "unaffected"}]}, {"vendor": "Red Hat", "product": "Red Hat Single Sign-On 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "keycloak", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:red_hat_single_sign_on:7"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2023-4918", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238588", "name": "RHBZ#2238588", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-5q66-v53q-pm35"}], "datePublic": "2023-09-12T00:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-256", "description": "Plaintext Storage of a Password", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-256: Plaintext Storage of a Password", "timeline": [{"lang": "en", "time": "2023-09-12T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-09-12T00:00:00+00:00", "value": "Made public."}], "credits": [{"lang": "en", "value": "Upstream acknowledges Niko K\u00f6bler as the original reporter."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-01-23T00:56:17.069Z"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:keycloak:22.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "1E9595DA-E422-46EE-A280-1842DB2673F4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in the Keycloak package, more specifically org.keycloak.userprofile. When a user registers itself through registration flow, the \"password\" and \"password-confirm\" field from the form will occur as regular user attributes. All users and clients with proper rights and roles are able to read users attributes, allowing a malicious user with minimal access to retrieve the users passwords in clear text, jeopardizing their environment."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en el paquete Keycloak, m\u00e1s espec\u00edficamente en org.keycloak.userprofile. Cuando un usuario se registra a trav\u00e9s del flujo de registro, los campos \"contrase\u00f1a\" y \"confirmaci\u00f3n de contrase\u00f1a\" del formulario aparecer\u00e1n como atributos de usuario normales. Todos los usuarios y clientes con derechos y roles adecuados pueden leer los atributos de los usuarios, lo que permite a un usuario malicioso con acceso m\u00ednimo recuperar las contrase\u00f1as de los usuarios en texto claro, poniendo en peligro su entorno."}], "id": "CVE-2023-4918", "lastModified": "2023-11-07T04:23:09.847", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2023-09-12T20:15:10.390", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-4918"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238588"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-5q66-v53q-pm35"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-319"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-256"}], "source": "secalert@redhat.com", "type": "Secondary"}]}