Headline
GHSA-2cww-fgmg-4jqc: Keycloak's admin API allows low privilege users to use administrative functions
Users with low privileges (just plain users in the realm) are able to utilize administrative functionalities within Keycloak admin interface. This issue presents a significant security risk as it allows unauthorized users to perform actions reserved for administrators, potentially leading to data breaches or system compromise.
Acknowledgements: Special thanks to Maurizio Agazzini for reporting this issue and helping us improve our project.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-3656
Keycloak’s admin API allows low privilege users to use administrative functions
High severity GitHub Reviewed Published Jun 11, 2024 in keycloak/keycloak • Updated Jun 11, 2024
Package
maven org.keycloak:keycloak-services (Maven)
Affected versions
< 24.0.5
Users with low privileges (just plain users in the realm) are able to utilize administrative functionalities within Keycloak admin interface. This issue presents a significant security risk as it allows unauthorized users to perform actions reserved for administrators, potentially leading to data breaches or system compromise.
Acknowledgements:
Special thanks to Maurizio Agazzini for reporting this issue and helping us improve our project.
References
- GHSA-2cww-fgmg-4jqc
- keycloak/keycloak@d9f0c84
Published to the GitHub Advisory Database
Jun 11, 2024
Last updated
Jun 11, 2024