Описание
A flaw was identified in Keycloak’s OpenID Connect Dynamic Client Registration feature when clients authenticate using private_key_jwt. The issue allows a client to specify an arbitrary jwks_uri, which Keycloak then retrieves without validating the destination. This enables attackers to coerce the Keycloak server into making HTTP requests to internal or restricted network resources. As a result, attackers can probe internal services and cloud metadata endpoints, creating an information disclosure and reconnaissance risk.
Отчет
This vulnerability is rated Moderate for Red Hat. The flaw in Keycloak's OIDC Dynamic Client Registration allows an attacker to force the Keycloak server to make requests to internal network resources via a crafted jwks_uri parameter. This can lead to information disclosure and internal network reconnaissance, particularly in configurations that permit anonymous or token-based client registration.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Build of Keycloak | rhbk/keycloak-operator-bundle | Fix deferred | ||
| Red Hat Build of Keycloak | rhbk/keycloak-rhel9 | Affected | ||
| Red Hat Build of Keycloak | rhbk/keycloak-rhel9-operator | Fix deferred | ||
| Red Hat JBoss Enterprise Application Platform 8 | keycloak-services | Not affected | ||
| Red Hat JBoss Enterprise Application Platform Expansion Pack | keycloak-services | Not affected | ||
| Red Hat Single Sign-On 7 | keycloak-services | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
5.8 Medium
CVSS3
Связанные уязвимости
A flaw was identified in Keycloak’s OpenID Connect Dynamic Client Registration feature when clients authenticate using private_key_jwt. The issue allows a client to specify an arbitrary jwks_uri, which Keycloak then retrieves without validating the destination. This enables attackers to coerce the Keycloak server into making HTTP requests to internal or restricted network resources. As a result, attackers can probe internal services and cloud metadata endpoints, creating an information disclosure and reconnaissance risk.
A flaw was identified in Keycloak\u2019s OpenID Connect Dynamic Client ...
Keycloak’s OpenID Connect Dynamic Client Registration feature affected by Server-Side Request Forgery (SSRF)
EPSS
5.8 Medium
CVSS3