8000 Improper Input Validation for Recovery Codes Setup · Issue #26104 · keycloak/keycloak · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content 8000
Improper Input Validation for Recovery Codes Setup #26104
New issue
New issue
Closed
#38245
Closed
Improper Input Validation for Recovery Codes Setup#26104
#38245
Assignees
rmartinc
Labels
area/authenticationIndicates an issue on Authentication areakind/bugCategorizes a PR related to a bugkind/weaknessIssues identified as a security hardening issue that we can improve into the codepriority/normalrelease/26.2.0team/core-clients
@abstractj

Description

@abstractj
abstractj
opened on Jan 10, 2024

Description

When an authenticated user sets up Recovery Codes, he has to validate a form listing the 12 Recovery Codes generated. The Recovery Codes displayed are sent back to the server when the user clicks the "Complete Setup" button though the generatedRecoveryAuthnCodes parameter. No checks on the values or number of the Recovery Codes sent by the user are performed by the application logic.

A user can therefore decide to send many more recovery codes (made of an alphabet of his choosing). If the user does not specify a parameter for the form's generatedRecoveryAuthnCodes parameter, a single Recovery Code equivalent to an empty string will be created.

Version

>= 23.0.4

Recommendations

Consider revising the application logic to check the validity of Recovery Codes sent by the user against the server generated ones.

References

Metadata

Metadata

Assignees

Labels

area/authenticationIndicates an issue on Authentication areakind/bugCategorizes a PR related to a bugkind/weaknessIssues identified as a security hardening issue that we can improve into the codepriority/normalrelease/26.2.0team/core-clients

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions
    0