2.7

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-gmrm-8fx4-66x7

EPSS Score

CWE

CWE-276

Published

6/18/2024

Updated

9/9/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-gmrm-8fx4-66x7

GHSA-gmrm-8fx4-66x7: Duplicate Advisory: Keycloak: Leak of configured LDAP bind credentials

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-c25h-c27q-5qpv. This link is maintained to preserve external references.

Original Description

A vulnerability was found in Keycloak. The LDAP testing endpoint allows changing the Connection URL independently without re-entering the currently configured LDAP bind credentials. This flaw allows an attacker with admin access (permission manage-realm) to change the LDAP host URL ("Connection URL") to a machine they control. The Keycloak server will connect to the attacker's host and try to authenticate with the configured credentials, thus leaking them to the attacker. As a consequence, an attacker who has compromised the admin console or compromised a user with sufficient privileges can leak domain credentials and attack the domain.

(GitHub Advisory)

2.7

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-gmrm-8fx4-66x7

EPSS Score

CWE

CWE-276

Published

6/18/2024

Updated

9/9/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.keycloak:keycloak-core	maven	<= 24.0.5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key flaws: 1) The LDAP testing endpoint's failure to require credential re-validation when connection parameters change, and 2) The configuration update mechanism allowing URL modification without credential confirmation. These functions were identified based on the described attack pattern (changing URL to attacker-controlled host) and Keycloak's architecture where user federation configuration and test endpoints are managed through admin REST resources and storage providers. The high confidence comes from the direct mapping between described vulnerability mechanics and Keycloak's known LDAP management implementation patterns.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## *upli**t* **visory T*is **visory **s ***n wit**r*wn ****us* it is * *upli**t* o* **S*-****-***q-*qpv. T*is link is m*int*in** to pr*s*rv* *xt*rn*l r***r*n**s. ## Ori*in*l **s*ription * vuln*r**ility w*s *oun* in K*y*lo*k. T** L**P t*stin* *n*poi

Reasoning

T** vuln*r**ility st*ms *rom two k*y *l*ws: *) T** L**P t*stin* *n*point's **ilur* to r*quir* *r***nti*l r*-v*li**tion w**n *onn**tion p*r*m*t*rs ***n**, *n* *) T** `*on*i*ur*tion` up**t* m****nism *llowin* URL mo*i*i**tion wit*out *r***nti*l *on*irm

2.7

Basic Information

Concerned about an active attack path?

GHSA-gmrm-8fx4-66x7: Duplicate Advisory: Keycloak: Leak of configured LDAP bind credentials

Duplicate Advisory

Original Description

2.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI