Описание
A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This unauthorized information disclosure could expose sensitive user data.
Отчет
This is a LOW impact flaw in Keycloak where disabled unmanaged user attributes are disclosed. An authenticated user with the view-users role can access attributes that are configured to be hidden from both users and administrators, violating the intended privacy settings.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Build of Keycloak | rhbk/keycloak-rhel9 | Affected |
Показывать по
Дополнительная информация
Статус:
2.7 Low
CVSS3
Связанные уязвимости
A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This unauthorized information disclosure could expose sensitive user data.
A flaw was found in Keycloak. An authenticated user with the view-user ...
Keycloak: Information disclosure of disabled user attributes via administrative endpoint
2.7 Low
CVSS3