CVE-2024-5967: Keycloak LDAP Bind Credential Leakage via Admin Console

CVE ID: CVE-2024-5967 Bug ID: 2292200 Summary: keycloak: Leak of configured LDAP bind credentials through the Keycloak admin console Keywords: Security Status: NEW Priority: low Severity: low Product: Security Response Component: vulnerability Version: unspecified Hardware: All OS: Linux Reported: 2024-06-13 12:37 UTC Modified: 2025-09-03 08:27 UTC CC List: 12 users Description: - The LDAP testing endpoint allows changing the Connection URL independently and without requiring re-entry of the currently configured LDAP bind credentials. An attacker with admin access can modify the LDAP host URL to point to a machine they control. The Keycloak server will then attempt to connect to the attacker’s host and authenticate using the configured credentials, thereby leaking them to the attacker. As a result, an attacker who has compromised the admin console can exfiltrate domain credentials and subsequently attack the domain. This exploit requires access to the REST endpoint and an admin user with manage-realm permission. Version affected: <= 24.0.5 Fixed in: - Red Hat Single Sign-On via RHSA-2024:6494 - Red Hat Single Sign-On 7.6 for RHEL 7 via RHSA-2024:6493 - Red Hat Single Sign-On 7.6 for RHEL 8 via RHSA-2024:6494 - Red Hat build of Keycloak 22 via RHSA-2024:6501 - Red Hat build of Keycloak 22 via RHSA-2024:6500 - Red Hat Single Sign-On 7.6 for RHEL 9 via RHSA-2024:6495 - RHEL-8 based Middleware Containers via RHSA-2024:6497

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2024-5967: Keycloak LDAP Bind Credential Leakage via Admin Console