[MAVEN:GHSA-2CWW-FGMG-4JQC] Keycloak's admin API allows low privilege users to use administrative functions

Severity High

Affected Packages 1

Fixed Packages 1

CVEs 1

Users with low privileges (just plain users in the realm) are able to utilize administrative functionalities within Keycloak admin interface. This issue presents a significant security risk as it allows unauthorized users to perform actions reserved for administrators, potentially leading to data breaches or system compromise.

Acknowledgements:
Special thanks to Maurizio Agazzini for reporting this issue and helping us improve our project.

Package	Affected Version
pkg:maven/org.keycloak/keycloak-services	< 24.0.5

Package	Fixed Version
pkg:maven/org.keycloak/keycloak-services	= 24.0.5

ID: MAVEN:GHSA-2CWW-FGMG-4JQC
Severity: high
URL: https://github.com/advisories/GHSA-2cww-fgmg-4jqc
Published: 2024-06-11T20:22:40
(3 months ago)
Modified: 2024-06-11T20:22:44
(3 months ago)
Rights: Maven Security Team

Source	# ID	Name	URL
			https://github.com/keycloak/keycloak/security/advisories/GHSA-2cww-fgmg-4jqc
			https://github.com/keycloak/keycloak/commit/d9f0c84b797525eac55914db5f81a8133ef5f9b1
			https://github.com/advisories/GHSA-2cww-fgmg-4jqc

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/org.keycloak/keycloak-services	org.keycloak	keycloak-services	< 24.0.5
Fixed	pkg:maven/org.keycloak/keycloak-services	org.keycloak	keycloak-services	= 24.0.5

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date