Improper Authorization in Keycloak

#VU65130 Improper Authorization in Keycloak

Published: 2022-07-12

Vulnerability identifier: #VU65130

Vulnerability risk: Low

CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-1466

CWE-ID: CWE-285

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Keycloak
Server applications / Directory software, identity management

Vendor: Keycloak

Description

The vulnerability allows a remote user to modify files on the system.

The vulnerability exists due to improper authorization. A remote user can add users to the master realm possible even though no respective permission was granted.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Keycloak: 17.0.0

External links
http://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-076.txt
http://www.syss.de/pentest-blog/fehlerhafte-autorisierung-bei-red-hat-single-sign-on-750ga-syss-2021-076
http://bugzilla.redhat.com/show_bug.cgi?id=2050228

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM i Modernization Engine for Lifecycle Integration