Executive Summary

This vulnerability exists in Keycloak's POST /admin/realms/{realm}/partialImport endpoint, where a limited administrator with only the "manage-realm" role can bypass Fine-Grained Admin Permissions (FGAP).

Due to improper access control, this limited admin can import users with realm-admin role mappings, effectively escalating their privileges to a full realm administrator.

The root cause is that the endpoint only checks the general manage-realm permission but does not enforce more specific role-based permissions for managing clients, users, or roles during partial imports.

Useful 0 Not Useful 0

Impact Analysis

An attacker or a limited administrator exploiting this vulnerability can escalate their privileges to become a full realm administrator.

This privilege escalation allows them to create, modify, or overwrite clients, client roles, groups, and users, potentially compromising the entire realm's security.

Such unauthorized access can lead to full control over the realm, including sensitive configurations and user data, resulting in a high impact on confidentiality, integrity, and availability.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves monitoring the use of the POST /admin/realms/{realm}/partialImport endpoint for suspicious activity, especially partial import operations performed by users with limited administrative roles.

Specifically, look for partial import requests that include JSON payloads attempting to assign realm-admin role mappings or modify clients, client roles, or groups without the appropriate manage-clients or manage-users roles.

Commands to detect such activity could include inspecting Keycloak server logs or API access logs for POST requests to the partialImport endpoint.

• Use grep or similar tools to search logs for POST requests to /admin/realms/*/partialImport, for example: `grep 'POST /admin/realms/.*/partialImport' /path/to/keycloak/logs/server.log`
• Analyze the JSON payloads in these requests to identify if they contain role mappings to realm-admin or other sensitive roles.
• Monitor for users with only the manage-realm role performing these imports, as this indicates exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the POST /admin/realms/{realm}/partialImport endpoint to only fully trusted administrators who have the necessary permissions beyond manage-realm.

Review and tighten role assignments to ensure that users with limited administrative privileges do not have access to perform partial imports that could escalate their privileges.

Apply any available patches or updates from Keycloak that address this vulnerability, as the issue involves improper enforcement of Fine-Grained Admin Permissions.

• Temporarily disable or restrict the partialImport functionality if possible until a fix is applied.
• Audit current users with manage-realm role and verify they do not have unintended elevated privileges.

Useful 0 Not Useful 0