Lucene search

Veracode Vulnerability DatabaseVERACODE:47627

HistoryJun 19, 2024 - 5:56 a.m.

Credential Leakage

2024-06-1905:56:48

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

credential leakage

org.keycloak

keycloak-core

ldap connection url

administrators

validation

enforcement

ldap bind credentials

admin access

manage-realm permission

ldap host url

server control

software

2.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

6.5 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

org.keycloak, keycloak-core is vulnerable to Credential Leakage. The vulnerability is due to a lack of proper validation and enforcement when administrators change the LDAP Connection URL without requiring re-entry of the currently configured LDAP bind credentials. The vulnerability allows an attacker with admin access ( “manage-realm” permission) to change the LDAP host URL to a server they control.

CPENameOperatorVersion
keycloak corele24.0.5
keycloak corele24.0.5

CPE	Name	Operator	Version
	keycloak core	le	24.0.5
	keycloak core	le	24.0.5

References

access.redhat.com/security/cve/CVE-2024-5967

bugzilla.redhat.com/show_bug.cgi?id=2292200

github.com/advisories/GHSA-gmrm-8fx4-66x7

github.com/keycloak/keycloak/commit/c51640546d1488e4af9b7e66026720a18d580fb4

2.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

6.5 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for VERACODE:47627