CVE-2024-3656
published 2024-10-09CVE-2024-3656: A flaw was found in Keycloak. Certain endpoints in Keycloak's admin REST API allow low-privilege users to access administrative functionalities. This flaw…
PriorityP357high8.1CVSS 3.1
AVNACLPRLUINSUCHIHAN
EXPLOIT
EPSS
2.84%
84.9th percentile
A flaw was found in Keycloak. Certain endpoints in Keycloak's admin REST API allow low-privilege users to access administrative functionalities. This flaw allows users to perform actions reserved for administrators, potentially leading to data breaches or system compromise.
Detection & IOCsextracted from sources · hover to see the quote
url/realms/{{realm}}/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri={{Scheme}}%3A%2F%2f{{Hostname}}%2Fadmin%2F{{realm}}%2Fconsole%2F&state=1&response_mode=query&response_type=code&scope=openid&nonce=1&code_challenge_method=S256&code_challenge={{code_challenge}}
url/realms/{{realm}}/login-actions/authenticate?client_id=security-admin-console&tab_id={{tabid}}&client_data=eyJydCI6ImNvZGUiLCJybSI6InF1ZXJ5Iiwic3QiOiIxIn0=
url/realms/{{realm}}/protocol/openid-connect/token
url/admin/realms/{{realm}}/testLDAPConnection
command{"action": "testConnection", "connectionUrl": "ldap://{{interactsh-url}}/", "bindDn": "cn=admin,dc=example,dc=com", "bindCredential": "password", "useTruststoreSpi": "ldapsOnly", "connectionTimeout": "5000"}
- →Monitor for low-privilege (non-admin) bearer tokens being used against the /admin/realms/*/testLDAPConnection endpoint — successful (non-403) responses indicate exploitation of the broken access control.
- →Detect outbound LDAP connections (DNS/TCP) originating from the Keycloak server to unexpected external hosts, which may indicate SSRF/LDAP injection via the testLDAPConnection admin API endpoint.
- →Alert on HTTP requests to Keycloak admin REST API paths (/admin/realms/*) where the authenticated user is not a realm administrator — absence of HTTP 403 response is a positive exploitation indicator.
- →Use Shodan/FOFA queries to identify exposed Keycloak instances: favicon hash -1105083093, HTML body containing 'keycloak', or page title 'keycloak'.
- →The exploit flow uses the security-admin-console client with PKCE (S256 code_challenge) to obtain a bearer token for a low-privilege user, then replays it against guarded admin endpoints. Look for this client_id in token requests from non-admin accounts.
- ·Only the Keycloak server is affected; Keycloak client libraries do not ship the vulnerable code. ↗
- ·Red Hat Single Sign-On 7 is affected, but Red Hat JBoss Enterprise Application Platform 8 is NOT affected. ↗
- ·No mitigation is available that meets Red Hat's criteria; patching to Keycloak 24.0.5+ is the only remediation. ↗
- ·The PoC template requires valid (but low-privilege) realm credentials to be supplied; this is an authenticated exploit (PR:L).
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
vendor_redhat8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
keycloak: Unguarded admin REST API endpoints allows low privilege users to use administrative functionalities
vendor_redhat·2024-10-09·CVSS 8.1
CVE-2024-3656 [HIGH] CWE-200 keycloak: Unguarded admin REST API endpoints allows low privilege users to use administrative functionalities
keycloak: Unguarded admin REST API endpoints allows low privilege users to use administrative functionalities
A flaw was found in Keycloak. Certain endpoints in Keycloak's admin REST API allow low-privilege users to access administrative functionalities. This flaw allows users to perform actions reserved for administrators, potentially leading to data breaches or system compromise.
A flaw was found in Keycloak. Certain endpoints in Keycloak's admin REST API allow low-privilege users to access administrative functionalities. This flaw allows users to perform actions reserved for administrators, potentially leading to data breaches or system compromise.
Statement: Red Hat has evaluated this vulnerability. This affects only Keycloak server and no Keycloak clients library ship the affected
OSV
Keycloak's admin API allows low privilege users to use administrative functions
osv·2024-06-11
CVE-2024-3656 [HIGH] Keycloak's admin API allows low privilege users to use administrative functions
Keycloak's admin API allows low privilege users to use administrative functions
Users with low privileges (just plain users in the realm) are able to utilize administrative functionalities within Keycloak admin interface. This issue presents a significant security risk as it allows unauthorized users to perform actions reserved for administrators, potentially leading to data breaches or system compromise.
**Acknowledgements:**
Special thanks to Maurizio Agazzini for reporting this issue and helping us improve our project.
GHSA
Keycloak's admin API allows low privilege users to use administrative functions
ghsa·2024-06-11
CVE-2024-3656 [HIGH] CWE-200 Keycloak's admin API allows low privilege users to use administrative functions
Keycloak's admin API allows low privilege users to use administrative functions
Users with low privileges (just plain users in the realm) are able to utilize administrative functionalities within Keycloak admin interface. This issue presents a significant security risk as it allows unauthorized users to perform actions reserved for administrators, potentially leading to data breaches or system compromise.
**Acknowledgements:**
Special thanks to Maurizio Agazzini for reporting this issue and helping us improve our project.
No detection rules found.
Nuclei
Keycloak < 24.0.5 - Broken Access Control
nuclei·CVSS 8.1
CVE-2024-3656 [HIGH] Keycloak < 24.0.5 - Broken Access Control
Keycloak < 24.0.5 - Broken Access Control
A flaw was found in Keycloak. Certain endpoints in Keycloak's admin REST API allow low-privilege users to access administrative functionalities. This flaw allows users to perform actions reserved for administrators, potentially leading to data breaches or system compromise.
Template:
id: CVE-2024-3656
info:
name: Keycloak < 24.0.5 - Broken Access Control
author: iamnoooob,rootxharsh,pdresearch
severity: high
description: |
A flaw was found in Keycloak. Certain endpoints in Keycloak's admin REST API allow low-privilege users to access administrative functionalities. This flaw allows users to perform actions reserved for administrators, potentially leading to data breaches or system compromise.
impact: |
Authenticated low-privilege users can acce
https://access.redhat.com/errata/RHSA-2024:3572https://access.redhat.com/errata/RHSA-2024:3575https://access.redhat.com/security/cve/CVE-2024-3656https://bugzilla.redhat.com/show_bug.cgi?id=2274403https://github.com/advisories/GHSA-2cww-fgmg-4jqchttps://github.com/hnsecurity/vulns/blob/main/HNS-2024-08-Keycloak.mdhttps://news.ycombinator.com/item?id=42136000https://security.humanativaspa.it/an-analysis-of-the-keycloak-authentication-system/
2024-10-09
Published