Lucene search
GitHub Advisory DatabaseGHSA-2CWW-FGMG-4JQCHistoryJun 11, 2024 - 8:22 p.m.
Keycloak's admin API allows low privilege users to use administrative functions
2024-06-1120:22:40
CWE-269
CWE-284
GitHub Advisory Database
github.com
28
keycloak
admin
api
low privilege
users
administrative functions
security risk
unauthorized access
data breaches
system compromise
acknowledgements
maurizio agazzini
reporting
improvement
software
6.8 Medium
AI Score
Confidence
Low
Users with low privileges (just plain users in the realm) are able to utilize administrative functionalities within Keycloak admin interface. This issue presents a significant security risk as it allows unauthorized users to perform actions reserved for administrators, potentially leading to data breaches or system compromise.
Acknowledgements:
Special thanks to Maurizio Agazzini for reporting this issue and helping us improve our project.
Affected configurations
Node
org.keycloak\keycloakMatchservices
| CPE | Name | Operator | Version |
|---|---|---|---|
| org.keycloak:keycloak-services | lt | 24.0.5 |
Related
veracode
veracode
Improper Privilege Management
2024-06-18 09:51:50
osv
osv
CGA-4qmx-6685-qc88
2024-06-19 07:35:15
nessus
nessus
Keycloak < 24.0.5 Unauthorized Access (CVE-2024-3656)
2024-06-14 00:00:00