A vulnerability was found in Keycloak. The LDAP testing endpoint allows changing the Connection URL independently without re-entering the currently configured LDAP bind credentials. This flaw allows an attacker with admin access (permission manage-realm) to change the LDAP host URL ("Connection URL") to a machine they control. The Keycloak server will connect to the attacker's host and try to authenticate with the configured credentials, thus leaking them to the attacker. As a consequence, an attacker who has compromised the admin console or compromised a user with sufficient privileges can leak domain credentials and attack the domain.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| org.keycloak:keycloak-ldap-federation(Maven) | 25.0.0 | 25.0.1 | N/A |
| org.keycloak:keycloak-ldap-federation(Maven) | 0 | 22.0.12 | N/A |
| org.keycloak:keycloak-ldap-federation(Maven) | 23.0.0 | 24.0.6 | N/A |
CVSS Metrics
