GoogleOSV:GHSA-C25H-C27Q-5QPVKeycloak leaks configured LDAP bind credentials through the Keycloak admin console
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
13.7%
Impact
The LDAP testing endpoint allows to change the Connection URL independently of and without having to re-enter the currently configured LDAP bind credentials. An attacker with admin access (permission manage-realm) can change the LDAP host URL (“Connection URL”) to a machine they control. The Keycloak server will connect to the attacker’s host and try to authenticate with the configured credentials, thus leaking them to the attacker.
As a consequence, an attacker who has compromised the admin console/compromised a user with sufficient privileges can leak domain credentials and can now attack the domain.
Acknowledgements
Special thanks to Simon Wessling for reporting this issue and helping us improve our project
References
access.redhat.com/security/cve/CVE-2024-5967
bugzilla.redhat.com/show_bug.cgi?id=2292200
github.com/keycloak/keycloak
github.com/keycloak/keycloak/commit/0d0530046b9cb4b0d74d2fdefc9bd04f1d20cac0
github.com/keycloak/keycloak/commit/1f56a9e48bf96c3bcb18dfc6cd93e3dd16f281f1
github.com/keycloak/keycloak/commit/bde8568d4174a7072f7c7bb507d2c7d05824b1a6
github.com/keycloak/keycloak/issues/30434
github.com/keycloak/keycloak/security/advisories/GHSA-c25h-c27q-5qpv
nvd.nist.gov/vuln/detail/CVE-2024-5967
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
13.7%