CVE-2023-0105
Keycloak: Impersonation and lockout possible through incorrect handling of email trust
6.5
MEDIUM
CVSS 3.1
EPSS 0.20%
Description
Impersonation and lockout are possible due to email trust not being handled correctly in Keycloak. Since the verified state is not reset when the email changes, it is possible for users to shadow others with the same email and lock out or impersonate them.
How to fix CVE-2023-0105
To remediate CVE-2023-0105, upgrade the affected package to a fixed version below.
- —upgrade to 22.0.1 or later
Is CVE-2023-0105 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 22.0.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L |