Executive Summary

This vulnerability exists in Keycloak's User-Managed Access (UMA) policy validation process. An authenticated user with the uma_protection role can bypass proper validation when creating policies. Specifically, while the system checks resource ownership for the resource ID in the URL path, it fails to validate additional resource IDs included in the request body. This flaw allows an attacker to include resource identifiers owned by other users in a policy creation request.

As a result, the attacker can create policies granting themselves unauthorized permissions on resources owned by other users. They can then obtain a Requesting Party Token (RPT) that includes permissions for these victim-owned resources, enabling access to sensitive information or unauthorized actions.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive resources owned by other users within the Keycloak system. An attacker with the appropriate role can gain permissions on victim-owned UMA-protected resources without proper authorization.

• Unauthorized access to sensitive information.
• Ability to perform unauthorized actions on victim-owned resources.
• Compromise of resource confidentiality and integrity.

Overall, this poses a high-severity security risk that can undermine trust and security within systems relying on Keycloak for access management.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring and testing the behavior of the Keycloak UMA policy creation endpoint `/realms/{realm}/authz/protection/uma-policy/{resourceId}` for improper validation of resource ownership.

Specifically, you can attempt to create a policy as an authenticated user with the `uma_protection` role by sending a POST request to the endpoint with a JSON body that includes resource IDs owned by other users in the "resources" array, while the URL path specifies a resource owned by the attacker.

If the policy creation succeeds (HTTP 200) despite including victim-owned resources, this indicates the vulnerability is present.

Example command using curl to test the vulnerability (replace placeholders accordingly):

• curl -X POST https://<keycloak-server>/realms/<realm>/authz/protection/uma-policy/<attacker_resource_id> \
• -H "Authorization: Bearer <access_token_with_uma_protection_role>" \
• -H "Content-Type: application/json" \
• -d '{"resources": ["<attacker_resource_id>", "<victim_resource_id>"], "scopes": ["view"]}'

A successful response indicates the vulnerability exists.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Restrict or review the assignment of the `uma_protection` client role to only trusted users, minimizing the number of users who can exploit this vulnerability.
• Temporarily disable or restrict the use of UMA policy creation endpoints if possible, especially for users with the `uma_protection` role.
• Monitor logs and audit UMA policy creation requests for suspicious activity involving multiple resource IDs in the "resources" array.
• Apply any available patches or updates from Keycloak or your vendor that address this vulnerability as soon as they are released.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an attacker to gain unauthorized access to resources owned by other users, potentially exposing sensitive information.

Such unauthorized access to sensitive data can lead to violations of data protection regulations and standards like GDPR and HIPAA, which require strict controls on access to personal and protected health information.

By enabling attackers to bypass access controls and obtain sensitive information, this flaw increases the risk of non-compliance with these regulations, potentially resulting in legal and financial consequences for affected organizations.

Useful 0 Not Useful 0