Vulnerability Finding Name:  Red Hat Keycloak Trust Email Configuration Email Change Handling Remote Issue.

Discussion:  Red Hat Keycloak Trust Email Configuration Email Change Handling Remote Issue. Red Hat Keycloak contains a flaw that is triggered as the Trust Email configuration is not properly implemented. When a user updates the email in one realm that is a identity provider for another realm, the updated email address is automatically marked as verified without requiring verification by the user. This may allow an authenticated, remote attacker to lock-out or impersonate other users.

Severity:  Medium

CVSS Score:  6.5

CVE-ID: CVE-2023-0105

Release : 10.7

The way we have IAM configured, we are not at risk for this vulnerability. In order for IAM to be vulnerable, you must be able to create a "shared" realm, where the "customer" realm is linked as an identity provider. If you look at the Service Virtualization IAM page, we have disabled the creation of a realm through the UI, and therefore we are not vulnerable.

 CVE-2023-0105. 

Red Hat Bugzilla - Bug 2158910