Information disclosure in Keycloak - CVE-2024-5967

 

Information disclosure in Keycloak - CVE-2024-5967

Published: June 24, 2024


Vulnerability identifier: #VU93095
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-5967
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Keycloak
Affected software:
Keycloak

Detailed vulnerability description

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to the LDAP testing endpoint allows to change the Connection URL independently of and without having to re-enter the currently configured LDAP bind credentials. A remote privileged user can modify the LDAP host URL ("Connection URL") to the attacker-controlled system and force the application to send credentials to a malicious server.


How to mitigate CVE-2024-5967

Install updates from vendor's website.

Sources