A flaw was found in the Keycloak package, more specifically org.keycloak.userprofile. When a user registers itself through registration flow, the "password" and "password-confirm" field from the form will occur as regular user attributes. All users and clients with proper rights and roles are able to read users attributes, allowing a malicious user with minimal access to retrieve the users passwords in clear text, jeopardizing their environment.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| org.keycloak:keycloak-core(Maven) | 22.0.2 | 22.0.3 | N/A |
CVSS Metrics
