Skip to content

Keycloak vulnerable to LDAP Injection on UsernameForm Login

Low severity GitHub Reviewed Published Nov 29, 2023 in keycloak/keycloak • Updated Nov 30, 2023

Package

maven org.keycloak:keycloak-ldap-federation (Maven)

Affected versions

< 23.0.1

Patched versions

23.0.1
maven org.keycloak:keycloak-services (Maven)
< 23.0.1
23.0.1

Description

A flaw was found in the Keycloak package. This flaw allows an attacker to benefit from an LDAP query and access existing usernames in the server.

References

@stianst stianst published to keycloak/keycloak Nov 29, 2023
Published to the GitHub Advisory Database Nov 29, 2023
Reviewed Nov 29, 2023
Last updated Nov 30, 2023

Severity

Low

Weaknesses

CVE ID

CVE-2022-2232

GHSA ID

GHSA-8hc5-rmgf-qx6p

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.