VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-2n4m-jnmy-cfcy

Essentials
Severities (29)
References (11)
Severity details (14)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-2n4m-jnmy-cfcy
Aliases	CVE-2023-0264 GHSA-9g98-5mj6-f9mv GMS-2023-573
Summary	Keycloak vulnerable to user impersonation via stolen UUID code Keycloak's OpenID Connect user authentication was found to incorrectly authenticate requests. An authenticated attacker who could also obtain a certain piece of info from a user request, from a victim within the same realm, could use that data to impersonate the victim and generate new session tokens.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (5)

CWE-287	Improper Authentication
CWE-345	Insufficient Verification of Data Authenticity
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-303	Incorrect Implementation of Authentication Algorithm

System	Score	Found at
cvssv3	4.6	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-0264.json
cvssv3.1	8.7	https://access.redhat.com/security/cve/CVE-2023-0264
generic_textual	HIGH	https://access.redhat.com/security/cve/CVE-2023-0264
epss	0.02783	https://api.first.org/data/v1/epss?cve=CVE-2023-0264
epss	0.02783	https://api.first.org/data/v1/epss?cve=CVE-2023-0264
epss	0.03396	https://api.first.org/data/v1/epss?cve=CVE-2023-0264
epss	0.03396	https://api.first.org/data/v1/epss?cve=CVE-2023-0264
epss	0.03396	https://api.first.org/data/v1/epss?cve=CVE-2023-0264
epss	0.03396	https://api.first.org/data/v1/epss?cve=CVE-2023-0264
epss	0.03396	https://api.first.org/data/v1/epss?cve=CVE-2023-0264
epss	0.03396	https://api.first.org/data/v1/epss?cve=CVE-2023-0264
epss	0.03396	https://api.first.org/data/v1/epss?cve=CVE-2023-0264
epss	0.03396	https://api.first.org/data/v1/epss?cve=CVE-2023-0264
epss	0.03396	https://api.first.org/data/v1/epss?cve=CVE-2023-0264
epss	0.03396	https://api.first.org/data/v1/epss?cve=CVE-2023-0264
epss	0.03396	https://api.first.org/data/v1/epss?cve=CVE-2023-0264
epss	0.03396	https://api.first.org/data/v1/epss?cve=CVE-2023-0264
epss	0.03396	https://api.first.org/data/v1/epss?cve=CVE-2023-0264
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-9g98-5mj6-f9mv
cvssv3.1	8.7	https://github.com/keycloak/keycloak
generic_textual	HIGH	https://github.com/keycloak/keycloak
cvssv3.1	8.7	https://github.com/keycloak/keycloak/commit/ec8109112e67208c13e13f6d1f8706a5a3ba8d4c
generic_textual	HIGH	https://github.com/keycloak/keycloak/commit/ec8109112e67208c13e13f6d1f8706a5a3ba8d4c
cvssv3.1	8.7	https://github.com/keycloak/keycloak/security/advisories/GHSA-9g98-5mj6-f9mv
cvssv3.1_qr	HIGH	https://github.com/keycloak/keycloak/security/advisories/GHSA-9g98-5mj6-f9mv
generic_textual	HIGH	https://github.com/keycloak/keycloak/security/advisories/GHSA-9g98-5mj6-f9mv
cvssv3.1	5.0	https://nvd.nist.gov/vuln/detail/CVE-2023-0264
cvssv3.1	8.7	https://nvd.nist.gov/vuln/detail/CVE-2023-0264
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2023-0264

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-0264.json
		https://access.redhat.com/security/cve/CVE-2023-0264
		https://api.first.org/data/v1/epss?cve=CVE-2023-0264
		https://github.com/keycloak/keycloak
		https://github.com/keycloak/keycloak/commit/ec8109112e67208c13e13f6d1f8706a5a3ba8d4c
		https://github.com/keycloak/keycloak/security/advisories/GHSA-9g98-5mj6-f9mv
		https://nvd.nist.gov/vuln/detail/CVE-2023-0264
2160585		https://bugzilla.redhat.com/show_bug.cgi?id=2160585
cpe:2.3:a:redhat:keycloak::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:keycloak::::::::
cpe:2.3:a:redhat:single_sign-on:-::::text-only:::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:single_sign-on:-::::text-only:::
GHSA-9g98-5mj6-f9mv		https://github.com/advisories/GHSA-9g98-5mj6-f9mv

No exploits are available.

Vector: CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-0264.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N Found at https://access.redhat.com/security/cve/CVE-2023-0264

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N Found at https://github.com/keycloak/keycloak

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N Found at https://github.com/keycloak/keycloak/commit/ec8109112e67208c13e13f6d1f8706a5a3ba8d4c

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N Found at https://github.com/keycloak/keycloak/security/advisories/GHSA-9g98-5mj6-f9mv

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2023-0264

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-0264

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.85592
EPSS Score	0.02783
Published At	Aug. 1, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-31T08:43:40.151513+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-9g98-5mj6-f9mv/GHSA-9g98-5mj6-f9mv.json	37.0.0