cbcvebase.
CVE-2024-3656
published 2024-10-09

CVE-2024-3656: A flaw was found in Keycloak. Certain endpoints in Keycloak's admin REST API allow low-privilege users to access administrative functionalities. This flaw…

PriorityP357high8.1CVSS 3.1
AVNACLPRLUINSUCHIHAN
EXPLOIT
EPSS
2.84%
84.9th percentile
A flaw was found in Keycloak. Certain endpoints in Keycloak's admin REST API allow low-privilege users to access administrative functionalities. This flaw allows users to perform actions reserved for administrators, potentially leading to data breaches or system compromise.

Detection & IOCsextracted from sources · hover to see the quote

url/realms/{{realm}}/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri={{Scheme}}%3A%2F%2f{{Hostname}}%2Fadmin%2F{{realm}}%2Fconsole%2F&state=1&response_mode=query&response_type=code&scope=openid&nonce=1&code_challenge_method=S256&code_challenge={{code_challenge}}
url/realms/{{realm}}/login-actions/authenticate?client_id=security-admin-console&tab_id={{tabid}}&client_data=eyJydCI6ImNvZGUiLCJybSI6InF1ZXJ5Iiwic3QiOiIxIn0=
url/realms/{{realm}}/protocol/openid-connect/token
url/admin/realms/{{realm}}/testLDAPConnection
command{"action": "testConnection", "connectionUrl": "ldap://{{interactsh-url}}/", "bindDn": "cn=admin,dc=example,dc=com", "bindCredential": "password", "useTruststoreSpi": "ldapsOnly", "connectionTimeout": "5000"}
  • Monitor for low-privilege (non-admin) bearer tokens being used against the /admin/realms/*/testLDAPConnection endpoint — successful (non-403) responses indicate exploitation of the broken access control.
  • Detect outbound LDAP connections (DNS/TCP) originating from the Keycloak server to unexpected external hosts, which may indicate SSRF/LDAP injection via the testLDAPConnection admin API endpoint.
  • Alert on HTTP requests to Keycloak admin REST API paths (/admin/realms/*) where the authenticated user is not a realm administrator — absence of HTTP 403 response is a positive exploitation indicator.
  • Use Shodan/FOFA queries to identify exposed Keycloak instances: favicon hash -1105083093, HTML body containing 'keycloak', or page title 'keycloak'.
  • The exploit flow uses the security-admin-console client with PKCE (S256 code_challenge) to obtain a bearer token for a low-privilege user, then replays it against guarded admin endpoints. Look for this client_id in token requests from non-admin accounts.
  • ·Only the Keycloak server is affected; Keycloak client libraries do not ship the vulnerable code.
  • ·Red Hat Single Sign-On 7 is affected, but Red Hat JBoss Enterprise Application Platform 8 is NOT affected.
  • ·No mitigation is available that meets Red Hat's criteria; patching to Keycloak 24.0.5+ is the only remediation.
  • ·The PoC template requires valid (but low-privilege) realm credentials to be supplied; this is an authenticated exploit (PR:L).

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
vendor_redhat8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.