Keycloak Patches Multiple Vulnerabilities in Latest Update

Open-source identity and access management platform Keycloak has released important security updates to address multiple vulnerabilities, including risks of denial-of-service attacks, information disclosure, and authentication bypass.

The vulnerabilities, ranging in severity, affect various aspects of the Keycloak platform. Some of the most critical include:

• CVE-2024-10270 (CVSS 6.5): A vulnerability in the SearchQueryUtils method could allow an attacker to trigger a denial-of-service (DoS) attack by exhausting system resources.
• CVE-2024-10451 (CVSS 5.9): Sensitive data, such as passwords, could be inadvertently embedded in bytecode during the build process, potentially leading to information disclosure.
• CVE-2024-10039 (CVSS 7.1): In deployments using mutual TLS (mTLS) authentication, an attacker on the local network could potentially bypass authentication and impersonate users or clients. “Deployments of Keycloak with a reverse proxy not using pass-through termination of TLS, with mTLS enabled, are affected,” the security advisory warns. “This issue may allow an attacker on the local network to authenticate as any user or client that leverages mTLS as the authentication mechanism.“

Other vulnerabilities addressed in the update include:

• CVE-2024-10492 (CVSS 2.7): Allows a high-privileged user to potentially access sensitive information from a Vault file.
• CVE-2024-9666 (CVSS 4.7): A DoS vulnerability related to the improper handling of proxy headers.

Keycloak urges users to update to the patched versions (24.0.9 or 26.0.6) immediately to mitigate these risks.

Related Posts: