keycloak-ldap-federation, keycloak-services is vulnerable to LDAP Injection. The vulnerability is due to the getFilterById
function in LDAPOperationManager.java
and getUserFromForm
function in AbstractUsernameFormAuthenticator.java
. This allows an attacker to manipulate the LDAP query in getFilterById
by injecting malicious code via the unsanitized id
input, which results LDAP injection attacks.