Skip to content

Keycloak's admin API allows low privilege users to use administrative functions

High severity GitHub Reviewed Published Jun 11, 2024 in keycloak/keycloak • Updated Jun 11, 2024

Package

maven org.keycloak:keycloak-services (Maven)

Affected versions

< 24.0.5

Patched versions

24.0.5

Description

Users with low privileges (just plain users in the realm) are able to utilize administrative functionalities within Keycloak admin interface. This issue presents a significant security risk as it allows unauthorized users to perform actions reserved for administrators, potentially leading to data breaches or system compromise.

Acknowledgements:
Special thanks to Maurizio Agazzini for reporting this issue and helping us improve our project.

References

@rmartinc rmartinc published to keycloak/keycloak Jun 11, 2024
Published to the GitHub Advisory Database Jun 11, 2024
Reviewed Jun 11, 2024
Last updated Jun 11, 2024

Severity

High
8.1
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Weaknesses

CVE ID

CVE-2024-3656

GHSA ID

GHSA-2cww-fgmg-4jqc

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.