CVE-2023-6787

Keycloak: session hijacking via re-authentication

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

A flaw was found in Keycloak that occurs from an error in the re-authentication mechanism within org.keycloak.authentication. This flaw allows hijacking an active Keycloak session by triggering a new authentication process with the query parameter "prompt=login," prompting the user to re-enter their credentials. If the user cancels this re-authentication by selecting "Restart login," an account takeover may occur, as the new session, with a different SUB, will possess the same SID as the previous session.

Se encontró una falla en Keycloak que se produce por un error en el mecanismo de reautenticación dentro de org.keycloak.authentication. Esta falla permite secuestrar una sesión activa de Keycloak al activar un nuevo proceso de autenticación con el parámetro de consulta "prompt=login", solicitando al usuario que vuelva a ingresar sus credenciales. Si el usuario cancela esta reautenticación seleccionando "Reiniciar inicio de sesión", puede ocurrir una apropiación de la cuenta, ya que la nueva sesión, con un SUB diferente, poseerá el mismo SID que la sesión anterior.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

Complete

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-12-13 CVE Reserved
2024-04-25 CVE Published
2024-04-26 EPSS Updated
2024-11-13 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-287: Improper Authentication

CAPEC

References (4)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2024:1867	2024-07-03
https://access.redhat.com/errata/RHSA-2024:1868	2024-07-03
https://access.redhat.com/security/cve/CVE-2023-6787	2024-04-16
https://bugzilla.redhat.com/show_bug.cgi?id=2254375	2024-04-16

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Redhat Search vendor "Redhat"		Build Keycloak Search vendor "Redhat" for product "Build Keycloak"				*		-		Affected
Redhat Search vendor "Redhat"		Red Hat Single Sign On Search vendor "Redhat" for product "Red Hat Single Sign On"				*		-		Affected