Miggo Logo

CVE-2022-1245: Keycloak vulnerable to privilege escalation on Token Exchange feature

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.59633%
Published
4/26/2022
Updated
6/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.keycloak:keycloak-servicesmaven< 18.0.018.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from missing authorization checks in three key areas: 1) Token exchange logic in DefaultTokenExchangeProvider allowed clients to exchange tokens not intended for them due to insufficient validation of token ownership/audience. 2) ClientPermissions' canExchangeTo had a bypass for same-client exchanges. 3) User impersonation checks in UserPermissions lacked client context validation. The patch added checks for token holder matching, audience validation, and client-aware impersonation policies, directly addressing these gaps.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* privil*** *s**l*tion *l*w w*s *oun* in t** tok*n *x***n** ***tur* o* k*y*lo*k. Missin* *ut*oriz*tion *llows * *li*nt *ppli**tion *ol*in* * v*li* ****ss tok*n to *x***n** tok*ns *or *ny t*r**t *li*nt *y p*ssin* t** *li*nt_i* o* t** t*r**t. T*is *oul

Reasoning

T** vuln*r**ility st*mm** *rom missin* *ut*oriz*tion ****ks in t*r** k*y *r**s: *) Tok*n *x***n** lo*i* in ****ultTok*n*x***n**Provi**r *llow** *li*nts to *x***n** tok*ns not int*n*** *or t**m *u* to insu**i*i*nt v*li**tion o* tok*n own*rs*ip/*u*i*n*