Multiple vulnerabilities in Keycloak
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 8 |
| CVE-ID | CVE-2024-1249 CVE-2024-1132 CVE-2023-6787 CVE-2023-0657 CVE-2023-6717 CVE-2024-2419 CVE-2023-6544 CVE-2023-3597 |
| CWE-ID | CWE-264 CWE-22 CWE-384 CWE-613 CWE-79 CWE-285 CWE-287 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Keycloak Server applications / Directory software, identity management |
| Vendor | Keycloak |
Security Bulletin
This security bulletin contains information about 8 vulnerabilities.
1) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU88799
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-1249
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to "checkLoginIframe" allows unvalidated cross-origin messages. A remote attacker can send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin validation for incoming messages.
MitigationInstall updates from vendor's website.
Vulnerable software versionsKeycloak: 22.0.0 - 24.0.2
CPE2.3 External linkshttps://github.com/keycloak/keycloak/security/advisories/GHSA-m6q9-p373-g5q8
https://access.redhat.com/errata/RHSA-2024:1867
https://access.redhat.com/errata/RHSA-2024:1868
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Path traversal
EUVDB-ID: #VU88798
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-1132
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to improper validation of URLs included in a redirect in org.keycloak.protocol.oidc. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.
Note, the vulnerability affects any client that utilizes a wildcard in the Valid Redirect URIs field.
MitigationInstall update from vendor's website.
Vulnerable software versionsKeycloak: 22.0.0 - 24.0.2
CPE2.3 External linkshttps://github.com/keycloak/keycloak/security/advisories/GHSA-72vp-xfrc-42xm
https://access.redhat.com/errata/RHSA-2024:1867
https://access.redhat.com/errata/RHSA-2024:1868
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Session Fixation
EUVDB-ID: #VU88797
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-6787
CWE-ID:
CWE-384 - Session Fixation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to hijack session of another user.
The vulnerability exists due to an error in the re-authentication mechanism in org.keycloak.authentication. An active keycloak session can be hijacked by initiating a new authentication (having the query parameter prompt=login) and forcing the user to enter his credentials once again. If the user cancels this re-authentication by clicking Restart login, the account takeover could take place as the new session, with a different SUB, will have the same SID as the previous session.
MitigationInstall updates from vendor's website.
Vulnerable software versionsKeycloak: 22.0.0 - 24.0.2
CPE2.3 External linkshttps://github.com/keycloak/keycloak/security/advisories/GHSA-c9h6-v78w-52wj
https://access.redhat.com/errata/RHSA-2024:1867
https://access.redhat.com/errata/RHSA-2024:1868
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Insufficient Session Expiration
EUVDB-ID: #VU88796
Risk: Medium
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-0657
CWE-ID:
CWE-613 - Insufficient Session Expiration
Exploit availability: No
DescriptionThe vulnerability allows a remote user to bypass implemented security restrictions.
The vulnerability exists due to software does not properly enforce token types when validating signatures locally. An authenticated user can use this flaw to exchange a logout token for an access token and possibly gain access to data outside of enforced permissions.
MitigationInstall updates from vendor's website.
Vulnerable software versionsKeycloak: 22.0.0 - 24.0.2
CPE2.3 External linkshttps://github.com/keycloak/keycloak/security/advisories/GHSA-7fpj-9hr8-28vh
https://access.redhat.com/errata/RHSA-2024:1867
https://access.redhat.com/errata/RHSA-2024:1868
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Cross-site scripting
EUVDB-ID: #VU88795
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-6717
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in the assertion consumer service URL in SAML POST-binding flow. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsKeycloak: 22.0.0 - 24.0.2
CPE2.3 External linkshttps://github.com/keycloak/keycloak/security/advisories/GHSA-8rmm-gm28-pj8q
https://access.redhat.com/errata/RHSA-2024:1867
https://access.redhat.com/errata/RHSA-2024:1868
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Path traversal
EUVDB-ID: #VU88794
Risk: Medium
CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-2419
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform directory traversal attacks.
The vulnerability exists due to an error in the redirect_uri validation logic within org.keycloak.protocol.oidc.utils. A remote user can send a specially crafted HTTP request and read arbitrary files on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsKeycloak: 22.0.0 - 24.0.2
CPE2.3 External linkshttps://access.redhat.com/security/cve/CVE-2024-2419
https://bugzilla.redhat.com/show_bug.cgi?id=2269371
https://access.redhat.com/errata/RHSA-2024:1867
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Improper authorization
EUVDB-ID: #VU88793
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-6544
CWE-ID:
CWE-285 - Improper Authorization
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to the application.
The vulnerability exists due to a permissive regular expression hard-coded for filtering allowed hosts to register a dynamic client within the org.keycloak.services.clientregistration package. A remote attacker with enough information about the environment could benefit and jeopardize an environment with this specific Dynamic Client Registration with TrustedDomain configuration previously unauthorized.
MitigationInstall updates from vendor's website.
Vulnerable software versionsKeycloak: 22.0.0 - 24.0.2
CPE2.3 External linkshttps://github.com/keycloak/keycloak/security/advisories/GHSA-46c8-635v-68r2
https://access.redhat.com/errata/RHSA-2024:1867
https://access.redhat.com/errata/RHSA-2024:1868
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Improper Authentication
EUVDB-ID: #VU88792
Risk: Low
CVSSv4.0: 0.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-3597
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: No
DescriptionThe vulnerability allows a remote user to bypass 2FA authentication process.
The vulnerability exists due to Keycloak does not correctly validate its client step-up authentication in org.keycloak.authentication. A remote user authenticated with password can use this flaw to register a false second
authentication factor along with existing one and bypass authentication.
Install updates from vendor's website.
Vulnerable software versionsKeycloak: 22.0.0 - 24.0.2
CPE2.3 External linkshttps://github.com/keycloak/keycloak/security/advisories/GHSA-4f53-xh3v-g8x4
https://access.redhat.com/errata/RHSA-2024:1867
https://access.redhat.com/errata/RHSA-2024:1868
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
