CVE-2024-3656 – org.keycloak:keycloak-services

Package

Manager: maven
Name: org.keycloak:keycloak-services
Vulnerable Version: >=0 <24.0.5

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.88292 pctl0.99464

Details

Keycloak's admin API allows low privilege users to use administrative functions Users with low privileges (just plain users in the realm) are able to utilize administrative functionalities within Keycloak admin interface. This issue presents a significant security risk as it allows unauthorized users to perform actions reserved for administrators, potentially leading to data breaches or system compromise. **Acknowledgements:** Special thanks to Maurizio Agazzini for reporting this issue and helping us improve our project.

Metadata

Created: 2024-06-11T20:22:40Z
Modified: 2024-12-23T17:11:17Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-2cww-fgmg-4jqc/GHSA-2cww-fgmg-4jqc.json
CWE IDs: ["CWE-200", "CWE-269", "CWE-284"]
Alternative ID: GHSA-2cww-fgmg-4jqc
Finding: F039
Auto approve: 1