CVE-2023-6484 - OpenCVE

A log injection flaw was found in Keycloak. A text string may be injected through the authentication form when using the WebAuthn authentication mode. This issue may have a minor impact to the logs integrity.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

No data.

No data.

References

Link	Resource
https://access.redhat.com/errata/RHSA-2024:0798
https://access.redhat.com/errata/RHSA-2024:0799
https://access.redhat.com/errata/RHSA-2024:0800
https://access.redhat.com/errata/RHSA-2024:0801
https://access.redhat.com/errata/RHSA-2024:0804
https://access.redhat.com/errata/RHSA-2024:1860
https://access.redhat.com/errata/RHSA-2024:1861
https://access.redhat.com/errata/RHSA-2024:1862
https://access.redhat.com/errata/RHSA-2024:1864
https://access.redhat.com/errata/RHSA-2024:1865
https://access.redhat.com/errata/RHSA-2024:1866
https://access.redhat.com/errata/RHSA-2024:1867
https://access.redhat.com/errata/RHSA-2024:1868
https://access.redhat.com/security/cve/CVE-2023-6484
https://bugzilla.redhat.com/show_bug.cgi?id=2248423

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2024-04-25T15:58:18.169Z

Updated: 2024-06-12T10:09:42.942Z

Reserved: 2023-12-04T10:48:43.809Z

Link: CVE-2023-6484

JSON object: View

NVD Information

Status : Awaiting Analysis

Published: 2024-04-25T16:15:09.743

Modified: 2024-04-25T17:25:05.903

Link: CVE-2023-6484

JSON object: View

Redhat Information

No data.

CWE

CWE-117

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-6484", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2023-12-04T10:48:43.809Z", "datePublished": "2024-04-25T15:58:18.169Z", "dateUpdated": "2024-06-12T10:09:42.942Z"}, "containers": {"cna": {"title": "Keycloak: log injection during webauthn authentication or registration", "metrics": [{"other": {"content": {"value": "Low", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A log injection flaw was found in Keycloak. A text string may be injected through the authentication form when using the WebAuthn authentication mode. This issue may have a minor impact to the logs integrity."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat build of Keycloak 22", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-operator-bundle", "defaultStatus": "affected", "versions": [{"version": "22.0.10-1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:22::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 22", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-rhel9", "defaultStatus": "affected", "versions": [{"version": "22-13", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:22::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 22", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-rhel9-operator", "defaultStatus": "affected", "versions": [{"version": "22-16", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:22::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 22.0.10", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:build_keycloak:22"]}, {"vendor": "Red Hat", "product": "Red Hat Single Sign-On 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "packageName": "keycloak", "cpes": ["cpe:/a:redhat:red_hat_single_sign_on:7.6"]}, {"vendor": "Red Hat", "product": "Red Hat Single Sign-On 7.6 for RHEL 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rh-sso7-keycloak", "defaultStatus": "affected", "versions": [{"version": "0:18.0.12-1.redhat_00001.1.el7sso", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:red_hat_single_sign_on:7.6::el7"]}, {"vendor": "Red Hat", "product": "Red Hat Single Sign-On 7.6 for RHEL 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rh-sso7-keycloak", "defaultStatus": "affected", "versions": [{"version": "0:18.0.13-1.redhat_00001.1.el7sso", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:red_hat_single_sign_on:7.6::el7"]}, {"vendor": "Red Hat", "product": "Red Hat Single Sign-On 7.6 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rh-sso7-keycloak", "defaultStatus": "affected", "versions": [{"version": "0:18.0.12-1.redhat_00001.1.el8sso", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:red_hat_single_sign_on:7.6::el8"]}, {"vendor": "Red Hat", "product": "Red Hat Single Sign-On 7.6 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rh-sso7-keycloak", "defaultStatus": "affected", "versions": [{"version": "0:18.0.13-1.redhat_00001.1.el8sso", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:red_hat_single_sign_on:7.6::el8"]}, {"vendor": "Red Hat", "product": "Red Hat Single Sign-On 7.6 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rh-sso7-keycloak", "defaultStatus": "affected", "versions": [{"version": "0:18.0.12-1.redhat_00001.1.el9sso", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:red_hat_single_sign_on:7.6::el9"]}, {"vendor": "Red Hat", "product": "Red Hat Single Sign-On 7.6 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rh-sso7-keycloak", "defaultStatus": "affected", "versions": [{"version": "0:18.0.13-1.redhat_00001.1.el9sso", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:red_hat_single_sign_on:7.6::el9"]}, {"vendor": "Red Hat", "product": "RHEL-8 based Middleware Containers", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rh-sso-7/sso76-openshift-rhel8", "defaultStatus": "affected", "versions": [{"version": "7.6-41", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhosemc:1.0::el8"]}, {"vendor": "Red Hat", "product": "RHEL-8 based Middleware Containers", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rh-sso-7/sso76-openshift-rhel8", "defaultStatus": "affected", "versions": [{"version": "7.6-46", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhosemc:1.0::el8"]}, {"vendor": "Red Hat", "product": "RHEL-8 based Middleware Containers", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rh-sso-7/sso7-rhel8-init-container", "defaultStatus": "affected", "versions": [{"version": "7.6-16", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhosemc:1.0::el8"]}, {"vendor": "Red Hat", "product": "RHEL-8 based Middleware Containers", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rh-sso-7/sso7-rhel8-operator", "defaultStatus": "affected", "versions": [{"version": "7.6-18", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhosemc:1.0::el8"]}, {"vendor": "Red Hat", "product": "RHEL-8 based Middleware Containers", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rh-sso-7/sso7-rhel8-operator-bundle", "defaultStatus": "affected", "versions": [{"version": "7.6.8-2", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhosemc:1.0::el8"]}, {"vendor": "Red Hat", "product": "RHSSO 7.6.8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "packageName": "keycloak-rhel9-operator-bundle-container", "cpes": ["cpe:/a:redhat:red_hat_single_sign_on:7.6"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:0798", "name": "RHSA-2024:0798", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:0799", "name": "RHSA-2024:0799", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:0800", "name": "RHSA-2024:0800", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:0801", "name": "RHSA-2024:0801", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:0804", "name": "RHSA-2024:0804", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:1860", "name": "RHSA-2024:1860", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:1861", "name": "RHSA-2024:1861", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:1862", "name": "RHSA-2024:1862", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:1864", "name": "RHSA-2024:1864", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:1865", "name": "RHSA-2024:1865", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:1866", "name": "RHSA-2024:1866", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:1867", "name": "RHSA-2024:1867", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:1868", "name": "RHSA-2024:1868", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-6484", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2248423", "name": "RHBZ#2248423", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2023-12-04T00:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-117", "description": "Improper Output Neutralization for Logs", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-117: Improper Output Neutralization for Logs", "timeline": [{"lang": "en", "time": "2023-11-06T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-12-04T00:00:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-06-12T10:09:42.942Z"}}}}

{"descriptions": [{"lang": "en", "value": "A log injection flaw was found in Keycloak. A text string may be injected through the authentication form when using the WebAuthn authentication mode. This issue may have a minor impact to the logs integrity."}], "id": "CVE-2023-6484", "lastModified": "2024-04-25T17:25:05.903", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2024-04-25T16:15:09.743", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:0798"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:0799"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:0800"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:0801"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:0804"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:1860"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:1861"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:1862"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:1864"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:1865"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:1866"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:1867"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:1868"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2023-6484"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2248423"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-117"}], "source": "secalert@redhat.com", "type": "Primary"}]}