SB2024062410 - Information disclosure in Keycloak

Description

This security bulletin contains information about 1 vulnerability.

1) Information disclosure (CVE-ID: CVE-2024-5967)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to the LDAP testing endpoint allows to change the Connection URL independently of and without having to re-enter the currently configured LDAP bind credentials. A remote privileged user can modify the LDAP host URL ("Connection URL") to the attacker-controlled system and force the application to send credentials to a malicious server.

Remediation

Install update from vendor's website.

References

• https://access.redhat.com/security/cve/CVE-2024-5967
• https://bugzilla.redhat.com/show_bug.cgi?id=2292200
• https://github.com/keycloak/keycloak/security/advisories/GHSA-c25h-c27q-5qpv