CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
13.7%
The LDAP testing endpoint allows to change the Connection URL independently of and without having to re-enter the currently configured LDAP bind credentials. An attacker with admin access (permission manage-realm) can change the LDAP host URL (“Connection URL”) to a machine they control. The Keycloak server will connect to the attacker’s host and try to authenticate with the configured credentials, thus leaking them to the attacker.
As a consequence, an attacker who has compromised the admin console/compromised a user with sufficient privileges can leak domain credentials and can now attack the domain.
Special thanks to Simon Wessling for reporting this issue and helping us improve our project
access.redhat.com/security/cve/CVE-2024-5967
bugzilla.redhat.com/show_bug.cgi?id=2292200
github.com/keycloak/keycloak
github.com/keycloak/keycloak/commit/0d0530046b9cb4b0d74d2fdefc9bd04f1d20cac0
github.com/keycloak/keycloak/commit/1f56a9e48bf96c3bcb18dfc6cd93e3dd16f281f1
github.com/keycloak/keycloak/commit/bde8568d4174a7072f7c7bb507d2c7d05824b1a6
github.com/keycloak/keycloak/issues/30434
github.com/keycloak/keycloak/security/advisories/GHSA-c25h-c27q-5qpv
nvd.nist.gov/vuln/detail/CVE-2024-5967
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
13.7%