Vulnerability DatabaseCVE-2023-6927
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2023-6927
December 18, 2023
A flaw was found in Keycloak. This issue may allow an attacker to steal authorization codes or tokens from clients using a wildcard in the JARM response mode "form_post.jwt" which could be used to bypass the security patch implemented to address CVE-2023-6134.
Affected Packages
org.keycloak:keycloak-core (JAVA):
Affected version(s) >=1.0-alpha-1 <23.0.4
Fix Suggestion:
Update to version 23.0.4
Related Resources (17)
https://access.redhat.com/errata/RHSA-2024:0096
https://access.redhat.com/errata/RHSA-2024:0801
https://bugzilla.redhat.com/show_bug.cgi?id=2255027
https://access.redhat.com/errata/RHSA-2024:0098
https://access.redhat.com/errata/RHSA-2024:0798
https://access.redhat.com/errata/RHSA-2024:0097
https://access.redhat.com/errata/RHSA-2024:0804
https://access.redhat.com/security/cve/CVE-2023-6927
https://github.com/keycloak/keycloak/security/advisories/GHSA-9vm7-v8wj-3fqw
https://access.redhat.com/errata/RHSA-2024:0095
https://access.redhat.com/errata/RHSA-2024:0101
https://github.com/keycloak/keycloak
https://access.redhat.com/errata/RHSA-2024:0094
https://access.redhat.com/errata/RHSA-2024:0800
https://access.redhat.com/errata/RHSA-2024:0799
https://access.redhat.com/errata/RHSA-2024:0100
https://nvd.nist.gov/vuln/detail/CVE-2023-6927
Do you need more information?
Contact Us
CVSS v4
Base Score:
5.1
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
PASSIVE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
4.6
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
URL Redirection to Untrusted Site ('Open Redirect')
CWE-601
EPSS
Base Score:
0.84