logo

Database

Improper authorization control for web services In org.keycloak:keycloak-services

Description

Keycloak's admin API allows low privilege users to use administrative functions Users with low privileges (just plain users in the realm) are able to utilize administrative functionalities within Keycloak admin interface. This issue presents a significant security risk as it allows unauthorized users to perform actions reserved for administrators, potentially leading to data breaches or system compromise.

Acknowledgements: Special thanks to Maurizio Agazzini for reporting this issue and helping us improve our project.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2024-36562. NVD-2024-36563. OSV-2024-36564. GHSA-2cww-fgmg-4jqc5. GCVE-2024-36566. access.redhat.com7. access.redhat.com8. ACCESS-CVE-2024-3656

References

1. https://github.com/keycloak/keycloak/security/advisories/GHSA-2cww-fgmg-4jqc2. https://github.com/keycloak/keycloak/commit/d9f0c84b797525eac55914db5f81a8133ef5f9b13. https://bugzilla.redhat.com/show_bug.cgi?id=22744034. https://github.com/hnsecurity/vulns/blob/main/HNS-2024-08-Keycloak.md5. https://news.ycombinator.com/item?id=421360006. https://security.humanativaspa.it/an-analysis-of-the-keycloak-authentication-system7. https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-3656.yaml8. https://github.com/h4x0r-dz/CVE-2024-3656

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.