Executive Summary

This vulnerability is a broken access control flaw in Keycloak's Account Resources user lookup endpoint. It allows a remote authenticated user, who owns at least one User-Managed Access (UMA) resource, to send specially crafted requests with arbitrary usernames or email values. As a result, the endpoint returns full profile objects for unrelated users, enabling the attacker to enumerate and harvest personally identifiable information (PII) of all users within the realm.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can lead to broad disclosure of profile-level information, including personally identifiable information (PII), to unauthorized users. This means that an attacker with valid authentication and at least one UMA resource can access sensitive user data of other users without permission, potentially leading to privacy breaches and misuse of personal information.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows a remote authenticated user to enumerate and harvest personally identifiable information (PII) of all realm users due to broken access control in the user lookup endpoint.

Such unauthorized disclosure of PII can lead to non-compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls over access to personal data and mandate protection against unauthorized disclosure.

Therefore, exploitation of this flaw could result in violations of these regulations, potentially leading to legal and financial consequences for affected organizations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring and analyzing requests to the Account Resources user lookup endpoint in Keycloak. Specifically, look for unusual or crafted requests that include arbitrary usernames or email values attempting to retrieve profile information of unrelated users.

Commands or methods to detect this may include capturing HTTP traffic to the user lookup endpoint and inspecting for suspicious query parameters or payloads that attempt to enumerate user profiles.

• Use network traffic analysis tools like tcpdump or Wireshark to capture requests to the Keycloak user lookup endpoint.
• Use curl or similar HTTP clients to test the endpoint with arbitrary usernames or email values to verify if profile information is returned improperly.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the Account Resources user lookup endpoint to only authorized users and reviewing user permissions related to User-Managed Access (UMA) resources.

Applying any available patches or updates from Keycloak or your vendor that address this broken access control vulnerability is critical.

• Limit or disable the ability for users owning UMA resources to perform user lookups until a fix is applied.
• Monitor logs for suspicious access patterns to the user lookup endpoint.

Useful 0 Not Useful 0