Executive Summary

This vulnerability exists in Keycloak and involves a flaw where organization metadata can still be accessed by authenticated users even after the Organizations feature has been disabled by an administrator.

Specifically, an authenticated user who is a member of an organization can exploit this flaw by using user-facing APIs like the account API or by requesting an OpenID Connect (OIDC) token with the 'organization' scope. Despite the Organizations feature being disabled, these APIs and tokens continue to expose organization membership data.

This happens because while Keycloak blocks access to the admin Organizations API when the feature is disabled, it fails to enforce this restriction on user-facing endpoints, allowing organization data to leak.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can lead to unauthorized disclosure of organization metadata to authenticated users who should no longer have access to this information after the Organizations feature is disabled.

This leakage can cause resource servers to make incorrect authorization decisions based on outdated or unintended organization data included in tokens or returned by APIs.

An attacker must be an authenticated user with existing organization membership, and the client must allow the organization scope for this to be exploited.

The impact is considered medium severity with a CVSS score of 4.3, and currently, no patch is available.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by verifying if organization metadata is still accessible through user-facing APIs or tokens after the Organizations feature has been disabled in Keycloak.

• Check the account API endpoint for organization data using a command like: curl -H "Authorization: Bearer <token>" https://<keycloak-server>/realms/<realm>/account/organizations
• Request an OpenID Connect token with the 'organization' scope and inspect the token claims to see if organization metadata is included. For example, use an OAuth client to request a token with scope=openid organization and decode the token to check for organization claims.

Useful 0 Not Useful 0

Mitigation Strategies

Currently, no patch is available for this vulnerability. Immediate mitigation steps include:

• Ensure that clients are not configured to allow the 'organization' scope in token requests.
• Review and restrict access to user-facing APIs such as the account API endpoint to prevent unauthorized disclosure of organization metadata.
• Consider re-enabling the Organizations feature if feasible, or avoid disabling it until a fix is available.
• Monitor authenticated users with organization membership and audit token contents for unintended organization claims.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthorized disclosure of organization metadata in tokens and user-facing APIs even after the Organizations feature has been disabled. Such unintended data exposure could lead to incorrect authorization decisions by resource servers.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, the leakage of organization membership data could potentially violate data protection principles related to data minimization and access control, which are common requirements in these regulations.

Useful 0 Not Useful 0