2.7

CVSS Score

Basic Information

CVE ID

CVE-2024-5967

GHSA ID

GHSA-c25h-c27q-5qpv

EPSS Score

CWE

CWE-276

Published

6/21/2024

Updated

7/1/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-5967

CVE-2024-5967:
Keycloak leaks configured LDAP bind credentials through the Keycloak admin console

Impact

The LDAP testing endpoint allows to change the Connection URL independently of and without having to re-enter the currently configured LDAP bind credentials. An attacker with admin access (permission manage-realm) can change the LDAP host URL ("Connection URL") to a machine they control. The Keycloak server will connect to the attacker's host and try to authenticate with the configured credentials, thus leaking them to the attacker. As a consequence, an attacker who has compromised the admin console/compromised a user with sufficient privileges can leak domain credentials and can now attack the domain.

Acknowledgements

Special thanks to Simon Wessling for reporting this issue and helping us improve our project

(GitHub Advisory)

2.7

CVSS Score

Basic Information

CVE ID

CVE-2024-5967

GHSA ID

GHSA-c25h-c27q-5qpv

EPSS Score

CWE

CWE-276

Published

6/21/2024

Updated

7/1/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.keycloak:keycloak-ldap-federation	maven	= 25.0.0	25.0.1
org.keycloak:keycloak-ldap-federation	maven	<= 22.0.11	22.0.12
org.keycloak:keycloak-ldap-federation	maven	>= 23.0.0, <= 24.0.5	24.0.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the pre-patch implementation of buildLDAPConfig, which fetched stored credentials (via realm.getComponent()) when ComponentRepresentation.SECRET_VALUE was provided, but didn't verify if the test request's connection URL/bind DN matched the original component's configuration. The patch added URI and DN comparisons (Objects.equals checks) to prevent credential reuse when these parameters are altered. The function's pre-patch behavior directly enabled the credential leak described in CVE-2024-5967.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** L**P t*stin* *n*point *llows to ***n** t** *onn**tion URL in**p*n**ntly o* *n* wit*out **vin* to r*-*nt*r t** *urr*ntly *on*i*ur** L**P *in* *r***nti*ls. *n *tt**k*r wit* **min ****ss (p*rmission m*n***-r**lm) **n ***n** t** L**P *ost

Reasoning

T** vuln*r**ility st*ms *rom t** pr*-p*t** impl*m*nt*tion o* *uil*L**P*on*i*, w*i** **t**** stor** *r***nti*ls (vi* r**lm.**t*ompon*nt()) w**n *ompon*ntR*pr*s*nt*tion.S**R*T_V*LU* w*s provi***, *ut *i*n't v*ri*y i* t** t*st r*qu*st's *onn**tion URL/*

2.7

Basic Information

Concerned about an active attack path?

CVE-2024-5967: Keycloak leaks configured LDAP bind credentials through the Keycloak admin console

Impact

Acknowledgements

2.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2024-5967:
Keycloak leaks configured LDAP bind credentials through the Keycloak admin console

Vulnerability Intelligence
Miggo AI