CVE-2024-5967
LOW2.7EPSS 0.09%Keycloak leaks configured LDAP bind credentials through the Keycloak admin console
Description
### Impact The LDAP testing endpoint allows to change the Connection URL independently of and without having to re-enter the currently configured LDAP bind credentials. An attacker with admin access (permission manage-realm) can change the LDAP host URL ("Connection URL") to a machine they control. The Keycloak server will connect to the attacker's host and try to authenticate with the configured credentials, thus leaking them to the attacker. As a consequence, an attacker who has compromised the admin console/compromised a user with sufficient privileges can leak domain credentials and can now attack the domain. ### Acknowledgements Special thanks to Simon Wessling for reporting this issue and helping us improve our project
Affected packages (1)
- Maven/org.keycloak:keycloak-ldap-federation>= 25.0.0, < 25.0.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | LOW2.7 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N |
References (9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-5967
- PATCHhttps://github.com/keycloak/keycloak
- WEBhttps://access.redhat.com/security/cve/CVE-2024-5967
- WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=2292200
- WEBhttps://github.com/keycloak/keycloak/commit/0d0530046b9cb4b0d74d2fdefc9bd04f1d20cac0
- WEBhttps://github.com/keycloak/keycloak/commit/1f56a9e48bf96c3bcb18dfc6cd93e3dd16f281f1
- WEBhttps://github.com/keycloak/keycloak/commit/bde8568d4174a7072f7c7bb507d2c7d05824b1a6
- WEBhttps://github.com/keycloak/keycloak/issues/30434
- WEBhttps://github.com/keycloak/keycloak/security/advisories/GHSA-c25h-c27q-5qpv