Keycloak Patches Multiple Vulnerabilities in Latest Update

### #KeycloakSecurity #IdentityManagementRisks #OpenSourceVulnerabilities

Summary: Keycloak has released critical security updates to address multiple vulnerabilities that could lead to denial-of-service attacks, information disclosure, and authentication bypass. Users are urged to upgrade to the latest patched versions to mitigate these risks.

Threat Actor: Unknown | unknown
Victim: Keycloak Users | Keycloak

Key Point :

  • Multiple vulnerabilities in Keycloak could lead to denial-of-service attacks and information disclosure.
  • CVE-2024-10270 allows attackers to exhaust system resources, leading to DoS attacks.
  • CVE-2024-10451 risks sensitive data exposure during the build process.
  • Mutual TLS (mTLS) authentication can be bypassed, allowing impersonation of users on local networks (CVE-2024-10039).
  • Users are strongly advised to update to versions 24.0.9 or 26.0.6 to address these vulnerabilities.

Open-source identity and access management platform Keycloak has released important security updates to address multiple vulnerabilities, including risks of denial-of-service attacks, information disclosure, and authentication bypass.

The vulnerabilities, ranging in severity, affect various aspects of the Keycloak platform. Some of the most critical include:

  • CVE-2024-10270 (CVSS 6.5): A vulnerability in the SearchQueryUtils method could allow an attacker to trigger a denial-of-service (DoS) attack by exhausting system resources.
  • CVE-2024-10451 (CVSS 5.9): Sensitive data, such as passwords, could be inadvertently embedded in bytecode during the build process, potentially leading to information disclosure.
  • CVE-2024-10039 (CVSS 7.1): In deployments using mutual TLS (mTLS) authentication, an attacker on the local network could potentially bypass authentication and impersonate users or clients. “Deployments of Keycloak with a reverse proxy not using pass-through termination of TLS, with mTLS enabled, are affected,” the security advisory warns. “This issue may allow an attacker on the local network to authenticate as any user or client that leverages mTLS as the authentication mechanism.

Other vulnerabilities addressed in the update include:

  • CVE-2024-10492 (CVSS 2.7): Allows a high-privileged user to potentially access sensitive information from a Vault file.
  • CVE-2024-9666 (CVSS 4.7): A DoS vulnerability related to the improper handling of proxy headers.

Keycloak urges users to update to the patched versions (24.0.9 or 26.0.6) immediately to mitigate these risks.

Related Posts:

Source: https://securityonline.info/keycloak-patches-multiple-vulnerabilities-in-latest-update