Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Org.keycloak.protocol.oidc.grants: disabled identity providers are still accepted for jwt authorization grant
Vulnerability Description
A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider (IdP) is enabled before issuing tokens. The issuer lookup mechanism (lookupIdentityProviderFromIssuer) retrieves the IdP configuration but does not filter for isEnabled=false. If an administrator disables an IdP (e.g., due to a compromise or offboarding), an entity possessing that IdP's signing key can still generate valid JWT assertions that Keycloak accepts, resulting in the issuance of valid access tokens.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vulnerability Type
不恰当实现的标准安全检查
Vulnerability Title
Keycloak 安全特征问题漏洞
Vulnerability Description
Keycloak是Keycloak开源的一种开源身份和访问管理解决方案。 Keycloak存在安全特征问题漏洞,该漏洞源于jwt-authorization-grant流程中服务器未在颁发令牌前验证身份提供商是否启用,可能导致攻击者使用已禁用身份提供商的签名密钥生成有效断言。
CVSS Information
N/A
Vulnerability Type
N/A