#VU93095 Information disclosure in Keycloak - CVE-2024-5967
Published: June 24, 2024
Vulnerability identifier: #VU93095
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-5967
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Keycloak
Keycloak
Software vendor:
Keycloak
Keycloak
Description
The vulnerability allows a remote user to gain access to potentially sensitive information.
The vulnerability exists due to the LDAP testing endpoint allows to change the Connection URL independently
of and without having to re-enter the currently configured LDAP bind
credentials. A remote privileged user can modify the LDAP host URL ("Connection URL") to the attacker-controlled system and force the application to send credentials to a malicious server.
Remediation
Install updates from vendor's website.