Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-2cww-fgmg-4jqc: Keycloak's admin API allows low privilege users to use administrative functions

Users with low privileges (just plain users in the realm) are able to utilize administrative functionalities within Keycloak admin interface. This issue presents a significant security risk as it allows unauthorized users to perform actions reserved for administrators, potentially leading to data breaches or system compromise.

Acknowledgements: Special thanks to Maurizio Agazzini for reporting this issue and helping us improve our project.

ghsa
#git#java#auth#maven
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2024-3656

Keycloak’s admin API allows low privilege users to use administrative functions

High severity GitHub Reviewed Published Jun 11, 2024 in keycloak/keycloak • Updated Jun 11, 2024

Package

maven org.keycloak:keycloak-services (Maven)

Affected versions

< 24.0.5

Users with low privileges (just plain users in the realm) are able to utilize administrative functionalities within Keycloak admin interface. This issue presents a significant security risk as it allows unauthorized users to perform actions reserved for administrators, potentially leading to data breaches or system compromise.

Acknowledgements:
Special thanks to Maurizio Agazzini for reporting this issue and helping us improve our project.

References

  • GHSA-2cww-fgmg-4jqc
  • keycloak/keycloak@d9f0c84

Published to the GitHub Advisory Database

Jun 11, 2024

Last updated

Jun 11, 2024

ghsa: Latest News

GHSA-49cc-xrjf-9qf7: SFTPGo allows administrators to restrict command execution from the EventManager