Keycloak 22.0.3 released

September 12 2023

To download the release go to Keycloak downloads.

Release notes

Security vulnerability when registering or updating user through templates

A security vulnerability was introduced in Keycloak 22.0.2. We highly recommend not upgrading to 22.0.2, and for anyone that has deployed 22.0.2 in production to upgrade to 22.0.3 immediately.

For users that has self-registered after Keycloak was upgraded to 22.0.2 their password is not stored securely, and can be exposed to administrators of Keycloak. This only affects users that has registered after the upgrade was rolled-out, and does not affect any previously registered users.

Any realm using the preview declarative user profile is not affected by this issue, and only realms using the default user profile provider is affected.

To identify if there are any affected users in your deployment you can query these by accessing the database, and running the following SQL statement:

SELECT DISTINCT U.ID, U.USERNAME, U.EMAIL, U.REALM_ID FROM USER_ENTITY U
    INNER JOIN USER_ATTRIBUTE UA ON U.ID = UA.USER_ID
    WHERE UA.NAME IN ('password','password-confirm')

We recommend contacting any affected users as well as adding the update password required action for them.

If there are any affected users we also recommend removing these attributes from the database by running the following SQL statement:

DELETE FROM USER_ATTRIBUTE UA WHERE UA.NAME IN ('password','password-confirm')

If any backups have been done of the database after the 22.0.2 release and there are affected users, we recommend deleting these.

Custom user storage providers

Any deployments with custom user storage federation providers may also be affected, please verify your custom user storage to identify if this is an issue.

To identify if there are any federated user affected in your deployment in case the user storage provider is delegating management of attributes to Keycloak, you can query these by accessing the database, and running the following SQL statement:

SELECT DISTINCT USER_ID,REALM_ID,STORAGE_PROVIDER_ID FROM FED_USER_ATTRIBUTE
    WHERE NAME IN ('password','password-confirm')

If there are any affected federated users, we also recommend removing these attributes from the database by running the following SQL statement:

DELETE FROM FED_USER_ATTRIBUTE UA WHERE UA.NAME IN ('password','password-confirm')

If your custom user storage provider is managing attributes itself, you should look at your custom storage to remove the password and password-confirm attributes.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.