Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive user information, specifically personally identifiable information (PII).

An attacker with limited privileges could gain visibility into user identities and their permissions, which could be used for further attacks or unauthorized access.

Since the vulnerability can be exploited remotely, it increases the risk of data leakage without physical access.

Useful 0 Not Useful 0

Executive Summary

This vulnerability exists in Keycloak and involves a flaw where a low-privilege administrator who has the 'view-clients' role can exploit the 'evaluate-scopes' Admin API endpoints by providing an arbitrary user ID parameter.

By doing this, the attacker can cause cross-role leakage of personally identifiable information (PII), gaining unauthorized visibility into user identities and their authorizations within the realm.

The exploitation can be performed remotely through network access to the Admin API.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring and analyzing network traffic to the Keycloak Admin API endpoints, specifically looking for calls to the 'evaluate-scopes' endpoint with arbitrary userId parameters.

Commands to detect potential exploitation attempts could include using network monitoring tools like tcpdump or Wireshark to filter HTTP requests to the Admin API, for example:

• tcpdump -i <interface> -A 'tcp port 8080 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'evaluate-scopes'
• Using curl or similar tools to manually test the Admin API endpoints with various userId parameters to check for unauthorized data disclosure.

Additionally, reviewing Keycloak server logs for unusual or unauthorized access to the 'evaluate-scopes' Admin API endpoint by low-privilege administrators can help detect exploitation.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting network access to the Keycloak Admin API to trusted administrators only.

Review and tighten the permissions assigned to low-privilege administrators, especially those with the 'view-clients' role, to prevent unauthorized use of the 'evaluate-scopes' endpoint.

Apply any available patches or updates from Keycloak or your vendor that address this vulnerability.

Monitor logs for suspicious activity related to the 'evaluate-scopes' Admin API endpoint and respond promptly to any detected exploitation attempts.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows a low-privilege administrator to gain unauthorized access to personally identifiable information (PII) by exploiting the evaluate-scopes Admin API with arbitrary user IDs. Such unauthorized visibility into user identities and authorizations can lead to cross-role PII leakage.

Because GDPR, HIPAA, and similar regulations require strict controls over access to PII and mandate protection against unauthorized disclosure, this vulnerability could result in non-compliance with these standards due to the potential exposure of sensitive user information.

Useful 0 Not Useful 0