Are any distributions of Keycloak vulnerable to Bug 1955113 (CVE-2021-31917)?

rmoqpd5t · February 3, 2022, 7:39pm

Flaw found in Infinispan (10.0.0 through 12.0.0) where an attacker can bypass authentication on REST endpoints with DIGEST authentication:

Bug 1955113 (CVE-2021-31917)
https://bugzilla.redhat.com/show_bug.cgi?id=1955113

Keycloak 16.x uses infinispan 12.1.7
Keycloak 15.x uses infinispan 11.0.9
Keycloak 14.x uses infinispan 11.0.9
Keycloak 13.x uses infinispan 11.0.9
Keycloak 12.x uses infinispan 11.0.4

By default I don’t see DIGEST authentication in use, therefore I assume Keycloak 12-15 are not impacted.

Has anyone else looked at this?

Topic		Replies	Views
Infinispan CVE cve-2021-31917 on keycloak 15.0	2	310	November 10, 2021
Is Keycloak affected by CVE-2022-46364?	0	357	January 16, 2023
CVE-2020-14302 and CVE-2020-10770 before Keycloak 13.0.0 Getting advice	3	984	March 17, 2021
What is the impact of CVE-2020-36518 on Keycloak 15.1.1 Securing applications	1	564	May 5, 2022
Keycloak legacy V 18.0.0 CVE Vulnerability Getting advice oidc	0	378	December 3, 2022

Are any distributions of Keycloak vulnerable to Bug 1955113 (CVE-2021-31917)?

Related Topics