CVE-2023-6927: 
Java vulnerability analysis and mitigation

A vulnerability (CVE-2023-6927) was discovered in Keycloak that allows attackers to steal authorization codes or tokens from clients using a wildcard in the JARM response mode "form_post.jwt". This vulnerability could be used to bypass the security patch implemented to address CVE-2023-6134. The issue was discovered in December 2023 and affects Red Hat Single Sign-On and Red Hat build of Keycloak products (NVD, Red Hat Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (MEDIUM) by NIST with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, while Red Hat assessed it with a score of 4.6 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N. The vulnerability specifically involves the JARM response mode "form_post.jwt" and can be exploited by changing the response_mode parameter from "form_post" to "form_post.jwt" (NVD).

The vulnerability allows attackers to steal authorization codes or tokens from clients, potentially compromising authentication and authorization mechanisms. This could lead to unauthorized access to protected resources and bypass of security controls (Red Hat Advisory).

Red Hat has released security updates to address this vulnerability across multiple products including Red Hat Single Sign-On 7.6.7 and Red Hat build of Keycloak 22.0.8. Updates are available for various platforms including RHEL 7, 8, and 9, as well as OpenShift Container Platform versions (RHSA-2024:0804, RHSA-2024:0799).