VDB
EN
MEDIUM 6.5

GHSA-33j3-g875-37rp

Keycloak Vulnerable to Improper Handling of Insufficient Permissions or Privilege

상세

A flaw was found in Keycloak's Client Policies, specifically within the `org.keycloak.protocol.oidc` component. When certain condition providers (client-type, client-roles, client-attributes, client-scopes) are used to enforce security restrictions, the `reject-ropc-grant` executor is silently bypassed. This allows an unauthenticated remote attacker to obtain tokens via a Resource Owner Password Credentials (ROPC) grant, even when a policy is explicitly configured to block it. This bypass can lead to unauthorized access and information disclosure.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

Maven / org.keycloak:keycloak-services
최초 영향 버전: 26.5.0 수정 버전: 26.6.3
수정 # pom.xml: bump <version>26.6.3</version> for org.keycloak:keycloak-services
Maven / org.keycloak:keycloak-services
최초 영향 버전: 0

No fixed version published yet for org.keycloak:keycloak-services (maven). Pin to a known-safe version or switch to an alternative.

참고