CVE-2023-2422 Red Hat Keycloak Improper Certificate Validation Remote Client Spoofing
Article ID: 272199
CVE-ID: CVE-2023-2422 (https://access.redhat.com/security/cve/cve-2023-2422) When a Keycloak server is configured to support mTLS authentication for OAuth/OpenID clients, it does not properly verify the client certificate chain. A client that possesses a proper certificate can authorize itself as any other client and therefore access data that belongs to other clients.
Release : 10.7.2
IAM is not affected by this vulnerability, as we are not using mTLS authentication in DevTest/IAM communications.
Conclusion: This vulnerability is not affecting the Identity Access Manager.