Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Accepted

Permalink CVE-2024-3656

8.1 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): NONE

updated 1 year, 4 months ago by @LeSuisse Activity log

Created automatic suggestion 1 year, 4 months ago
@LeSuisse accepted 1 year, 4 months ago

Keycloak: unguarded admin rest api endpoints allows low privilege users to use administrative functionalities

A flaw was found in Keycloak. Certain endpoints in Keycloak's admin REST API allow low-privilege users to access administrative functionalities. This flaw allows users to perform actions reserved for administrators, potentially leading to data breaches or system compromise.

References

RHSA-2024:3575 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2024-3656 vdb-entryx_refsource_REDHAT
RHBZ#2274403 x_refsource_REDHATissue-tracking
https://github.com/advisories/GHSA-2cww-fgmg-4jqc
https://security.humanativaspa.it/an-analysis-of-the-keycloak-authentication-sy…
https://news.ycombinator.com/item?id=42136000
https://github.com/hnsecurity/vulns/blob/main/HNS-2024-08-Keycloak.md
https://access.redhat.com/security/cve/CVE-2024-3656 vdb-entryx_refsource_REDHAT
RHBZ#2274403 x_refsource_REDHATissue-tracking
https://github.com/advisories/GHSA-2cww-fgmg-4jqc
RHSA-2024:3575 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2024-3656 vdb-entryx_refsource_REDHAT
RHBZ#2274403 x_refsource_REDHATissue-tracking
https://github.com/advisories/GHSA-2cww-fgmg-4jqc
RHSA-2024:3575 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2024-3656 vdb-entryx_refsource_REDHAT
RHBZ#2274403 x_refsource_REDHATissue-tracking
https://github.com/advisories/GHSA-2cww-fgmg-4jqc
RHSA-2024:3575 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2024-3656 vdb-entryx_refsource_REDHAT
RHBZ#2274403 x_refsource_REDHATissue-tracking
https://github.com/advisories/GHSA-2cww-fgmg-4jqc
https://security.humanativaspa.it/an-analysis-of-the-keycloak-authentication-sy…
https://news.ycombinator.com/item?id=42136000
https://github.com/hnsecurity/vulns/blob/main/HNS-2024-08-Keycloak.md
RHSA-2024:3575 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2024-3656 vdb-entryx_refsource_REDHAT
RHBZ#2274403 x_refsource_REDHATissue-tracking
https://github.com/advisories/GHSA-2cww-fgmg-4jqc
https://security.humanativaspa.it/an-analysis-of-the-keycloak-authentication-sy…
https://news.ycombinator.com/item?id=42136000
https://github.com/hnsecurity/vulns/blob/main/HNS-2024-08-Keycloak.md
RHSA-2024:3575 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2024-3656 vdb-entryx_refsource_REDHAT
RHBZ#2274403 x_refsource_REDHATissue-tracking
https://github.com/advisories/GHSA-2cww-fgmg-4jqc
https://security.humanativaspa.it/an-analysis-of-the-keycloak-authentication-sy…
https://news.ycombinator.com/item?id=42136000
https://github.com/hnsecurity/vulns/blob/main/HNS-2024-08-Keycloak.md
RHSA-2024:3572 vendor-advisoryx_refsource_REDHAT
RHSA-2024:3575 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2024-3656 vdb-entryx_refsource_REDHAT
RHBZ#2274403 x_refsource_REDHATissue-tracking
https://github.com/advisories/GHSA-2cww-fgmg-4jqc
https://security.humanativaspa.it/an-analysis-of-the-keycloak-authentication-sy…
https://news.ycombinator.com/item?id=42136000
https://github.com/hnsecurity/vulns/blob/main/HNS-2024-08-Keycloak.md
RHSA-2024:3572 vendor-advisoryx_refsource_REDHAT
RHSA-2024:3575 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2024-3656 vdb-entryx_refsource_REDHAT
RHBZ#2274403 x_refsource_REDHATissue-tracking
https://github.com/advisories/GHSA-2cww-fgmg-4jqc
https://security.humanativaspa.it/an-analysis-of-the-keycloak-authentication-sy…
https://news.ycombinator.com/item?id=42136000
https://github.com/hnsecurity/vulns/blob/main/HNS-2024-08-Keycloak.md
RHSA-2024:3572 vendor-advisoryx_refsource_REDHAT
RHSA-2024:3575 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2024-3656 vdb-entryx_refsource_REDHAT
RHBZ#2274403 x_refsource_REDHATissue-tracking
https://github.com/advisories/GHSA-2cww-fgmg-4jqc
https://security.humanativaspa.it/an-analysis-of-the-keycloak-authentication-sy…
https://news.ycombinator.com/item?id=42136000
https://github.com/hnsecurity/vulns/blob/main/HNS-2024-08-Keycloak.md
RHSA-2024:3572 vendor-advisoryx_refsource_REDHAT
RHSA-2024:3575 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2024-3656 vdb-entryx_refsource_REDHAT
RHBZ#2274403 x_refsource_REDHATissue-tracking
https://github.com/advisories/GHSA-2cww-fgmg-4jqc
https://security.humanativaspa.it/an-analysis-of-the-keycloak-authentication-sy…
https://news.ycombinator.com/item?id=42136000
https://github.com/hnsecurity/vulns/blob/main/HNS-2024-08-Keycloak.md
RHSA-2024:3572 vendor-advisoryx_refsource_REDHAT
RHSA-2024:3575 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2024-3656 vdb-entryx_refsource_REDHAT
RHBZ#2274403 x_refsource_REDHATissue-tracking
https://github.com/advisories/GHSA-2cww-fgmg-4jqc
https://security.humanativaspa.it/an-analysis-of-the-keycloak-authentication-sy…
https://news.ycombinator.com/item?id=42136000
https://github.com/hnsecurity/vulns/blob/main/HNS-2024-08-Keycloak.md
RHSA-2024:3572 vendor-advisoryx_refsource_REDHAT
RHSA-2024:3575 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2024-3656 vdb-entryx_refsource_REDHAT
RHBZ#2274403 x_refsource_REDHATissue-tracking
https://github.com/advisories/GHSA-2cww-fgmg-4jqc
https://security.humanativaspa.it/an-analysis-of-the-keycloak-authentication-sy…
https://news.ycombinator.com/item?id=42136000
https://github.com/hnsecurity/vulns/blob/main/HNS-2024-08-Keycloak.md

Affected products

keycloak

<24.0.5

Red Hat Single Sign-On 7

Red Hat Build of Keycloak

org.keycloak-keycloak-parent

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

nixos-unstable 26.0.6
- nixpkgs-unstable 26.0.6
- nixos-unstable-small 26.0.7

Package maintainers

@ngerstle Nicholas Gerstle <ngerstle@gmail.com>
@NickCao Nick Cao <nickcao@nichi.co>
@talyz Kim Lindberger <kim.lindberger@gmail.com>