CVE-2023-49594

Summary

An information disclosure vulnerability exists in the challenge functionality of instipod DuoUniversalKeycloakAuthenticator 1.0.7 plugin. A specially crafted HTTP request can lead to a disclosure of sensitive information. A user logging into Keycloak using DuoUniversalKeycloakAuthenticator plugin triggers this vulnerability.

Affected Software

VendorProductVersion RangeStatus
instipodDuoUniversalKeycloakAuthenticator1.0.7affected

Weaknesses

  • CWE-201: CWE-201: Information Exposure Through Sent Data

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References