Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-gmrm-8fx4-66x7: Keycloak: Leak of configured LDAP bind credentials

A vulnerability was found in Keycloak. The LDAP testing endpoint allows changing the Connection URL independently without re-entering the currently configured LDAP bind credentials. This flaw allows an attacker with admin access (permission manage-realm) to change the LDAP host URL (“Connection URL”) to a machine they control. The Keycloak server will connect to the attacker’s host and try to authenticate with the configured credentials, thus leaking them to the attacker. As a consequence, an attacker who has compromised the admin console or compromised a user with sufficient privileges can leak domain credentials and attack the domain.

ghsa
#vulnerability#mac#git#java#ldap#auth#maven
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2024-5967

Keycloak: Leak of configured LDAP bind credentials

Low severity GitHub Reviewed Published Jun 18, 2024 to the GitHub Advisory Database • Updated Jun 18, 2024

Package

maven org.keycloak:keycloak-core (Maven)

Affected versions

<= 24.0.5

A vulnerability was found in Keycloak. The LDAP testing endpoint allows changing the Connection URL independently without re-entering the currently configured LDAP bind credentials. This flaw allows an attacker with admin access (permission manage-realm) to change the LDAP host URL (“Connection URL”) to a machine they control. The Keycloak server will connect to the attacker’s host and try to authenticate with the configured credentials, thus leaking them to the attacker. As a consequence, an attacker who has compromised the admin console or compromised a user with sufficient privileges can leak domain credentials and attack the domain.

References

  • https://nvd.nist.gov/vuln/detail/CVE-2024-5967
  • https://access.redhat.com/security/cve/CVE-2024-5967
  • https://bugzilla.redhat.com/show_bug.cgi?id=2292200

Published to the GitHub Advisory Database

Jun 18, 2024

Last updated

Jun 18, 2024

Related news

GHSA-c25h-c27q-5qpv: Keycloak leaks configured LDAP bind credentials through the Keycloak admin console

### Impact The LDAP testing endpoint allows to change the Connection URL independently of and without having to re-enter the currently configured LDAP bind credentials. An attacker with admin access (permission manage-realm) can change the LDAP host URL ("Connection URL") to a machine they control. The Keycloak server will connect to the attacker's host and try to authenticate with the configured credentials, thus leaking them to the attacker. As a consequence, an attacker who has compromised the admin console/compromised a user with sufficient privileges can leak domain credentials and can now attack the domain. ### Acknowledgements Special thanks to Simon Wessling for reporting this issue and helping us improve our project