Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted. References: https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-076.txt https://www.syss.de/pentest-blog/fehlerhafte-autorisierung-bei-red-hat-single-sign-on-750ga-syss-2021-076
I would like to know more details about this issue, like: - Are those users performing actions that they should not be allowed present on the master realm? - If they are present on the master realm, which roles are assigned to them? Do they have any client roles? - Would be possible to have the screenshots from the "Role Mappings" tab for the user who managed to escalate those privileges?
I had a great chat with Patrick, and we identified that the issue is no longer present on the latest releases of RH-SSO and Keycloak. Thank you for your collaboration!
I cannot find proper information on affected Keycloak versions. I would like to request for clarification. * The CVE https://access.redhat.com/security/cve/cve-2022-1466 mentions Keycloak but it does not mention affected Keycloak versions * The CVE in NVD only mentions Red Hat Single Sign-On and not Keycloak https://nvd.nist.gov/vuln/detail/CVE-2022-1466 * This bugzilla issue is the only place with version information "Fixed In Version: keycloak 17.0.1" but this issue was resolved with "NOTABUG" * None of the github security advisories mentions CVE-2022-1466 https://github.com/keycloak/keycloak/security/advisories * I tried to reproduce the fault with various Keycloak versions backing all the way to Keycloak 12.0.0 by following the details given in disclosure document https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-076.txt but I could not reproduce it. Please, would you clarify the affected Keycloak versions? Thank you for your help!
Sorry, I forgot to mention also that Keycloak 17.0.1 release notes do not mention anything that sounds like this bug, or fixes to security vulnerabilities in general https://www.keycloak.org/2022/03/keycloak-1701-released
(In reply to Tero Saarni from comment #7) > I cannot find proper information on affected Keycloak versions. I would > like to request for clarification. > > * The CVE https://access.redhat.com/security/cve/cve-2022-1466 mentions > Keycloak but it does not mention affected Keycloak versions > * The CVE in NVD only mentions Red Hat Single Sign-On and not Keycloak > https://nvd.nist.gov/vuln/detail/CVE-2022-1466 > * This bugzilla issue is the only place with version information "Fixed In > Version: keycloak 17.0.1" but this issue was resolved with "NOTABUG" > * None of the github security advisories mentions CVE-2022-1466 > https://github.com/keycloak/keycloak/security/advisories > * I tried to reproduce the fault with various Keycloak versions backing all > the way to Keycloak 12.0.0 by following the details given in disclosure > document > https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021- > 076.txt but I could not reproduce it. > > Please, would you clarify the affected Keycloak versions? > > Thank you for your help! The issue wasn't reproducible when i tried either but I found CVE-2022-1466 in github advisory db where it says every version >17.0.1 is affected. https://github.com/advisories/GHSA-f32v-vf79-p29q
Interesting. That github advisory is for maven package keycloak-core, so likely it comes from maven central where every keycloak-core package prior to 17.0.1 is now flagged with CVE-2022-1466, for example https://mvnrepository.com/artifact/org.keycloak/keycloak-core/16.1.1. Since the github advisory was created on Apr 27 and the version information "Fixed In Version: keycloak 17.0.1" in this bugzilla issue was added on Apr 25, I guess this issue is the source.
@security-response-team If we are not enabled SSO are we still vulnerable to these two CVE CVE-IDCVE-ID: CVE-2022-1466 and CVE-IDCVE-ID: CVE-2022-1245