Bug 2274403 (CVE-2024-3656) - CVE-2024-3656 keycloak: Unguarded admin REST API endpoints allows low privilege users to use administrative functionalities
Summary: CVE-2024-3656 keycloak: Unguarded admin REST API endpoints allows low privile...
Keywords:
Status: NEW
Alias: CVE-2024-3656
Deadline: 2024-10-09
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2274405
TreeView+ depends on / blocked
 
Reported: 2024-04-10 20:39 UTC by Pedro Sampaio
Modified: 2024-10-09 18:16 UTC (History)
38 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Keycloak. Certain endpoints in Keycloak's admin REST API allow low-privilege users to access administrative functionalities. This flaw allows users to perform actions reserved for administrators, potentially leading to data breaches or system compromise.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Pedro Sampaio 2024-04-10 20:39:47 UTC 
Users with low privileges (just plain users in the realm) are able to utilize administrative functionalities within Keycloak admin interface. This issue presents a significant security risk as it allows unauthorized users to perform actions reserved for administrators, potentially leading to data breaches or system compromise.
Note You need to log in before you can comment on or make changes to this bug.