Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2024-3656

Good to know:

icon
icon

Date: October 9, 2024

Keycloak's admin API allows low privilege users to use administrative functions. Users with low privileges (just plain users in the realm) are able to utilize administrative functionalities within Keycloak admin interface. This issue presents a significant security risk as it allows unauthorized users to perform actions reserved for administrators, potentially leading to data breaches or system compromise.

Language: Java

Severity Score

Related Resources (12)

https://github.com/advisories/GHSA-2cww-fgmg-4jqc
https://bugzilla.redhat.com/show_bug.cgi?id=2274403
https://github.com/keycloak/keycloak/security/advisories/GHSA-2cww-fgmg-4jqc
https://security.humanativaspa.it/an-analysis-of-the-keycloak-authentication-system/
https://access.redhat.com/errata/RHSA-2024:3575
https://nvd.nist.gov/vuln/detail/CVE-2024-3656
https://access.redhat.com/security/cve/CVE-2024-3656
https://github.com/keycloak/keycloak
https://news.ycombinator.com/item?id=42136000
https://github.com/keycloak/keycloak/commit/d9f0c84b797525eac55914db5f81a8133ef5f9b1
https://github.com/hnsecurity/vulns/blob/main/HNS-2024-08-Keycloak.md
https://www.mend.io/vulnerability-database/CVE-2024-3656

Severity Score

Weakness Type (CWE)

Improper Access Control

CWE-284

Information Leak / Disclosure

CWE-200

Improper Privilege Management

CWE-269

Top Fix

icon

Upgrade Version

Upgrade to version org.keycloak:keycloak-services:24.0.5;org.keycloak:keycloak-rest-admin-ui-ext:24.0.5

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): NONE

Do you need more information?

Contact Us