Keycloak vulnerable to LDAP Injection on UsernameForm Login · CVE-2022-2232 · GitHub Advisory Database · GitHub

Keycloak vulnerable to LDAP Injection on UsernameForm Login

Low severity GitHub Reviewed Published Nov 29, 2023 in keycloak/keycloak • Updated Nov 30, 2023

Package

org.keycloak:keycloak-ldap-federation (Maven)

Affected versions

< 23.0.1

Patched versions

23.0.1

org.keycloak:keycloak-services (Maven)

< 23.0.1

23.0.1

Description

A flaw was found in the Keycloak package. This flaw allows an attacker to benefit from an LDAP query and access existing usernames in the server.

References

stianst published to keycloak/keycloak

Nov 29, 2023

Published to the GitHub Advisory Database Nov 29, 2023

Reviewed Nov 29, 2023

Last updated Nov 30, 2023