{
  "threat_severity" : "Important",
  "public_date" : "2024-10-09T18:11:00Z",
  "bugzilla" : {
    "description" : "keycloak: Unguarded admin REST API endpoints allows low privilege users to use administrative functionalities",
    "id" : "2274403",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2274403"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-200",
  "details" : [ "A flaw was found in Keycloak. Certain endpoints in Keycloak's admin REST API allow low-privilege users to access administrative functionalities. This flaw allows users to perform actions reserved for administrators, potentially leading to data breaches or system compromise.", "A flaw was found in Keycloak. Certain endpoints in Keycloak's admin REST API allow low-privilege users to access administrative functionalities. This flaw allows users to perform actions reserved for administrators, potentially leading to data breaches or system compromise." ],
  "statement" : "Red Hat has evaluated this vulnerability. This affects only Keycloak server and no Keycloak clients library ship the affected code.",
  "acknowledgement" : "Red Hat would like to thank Maurizio Agazzini for reporting this issue. Upstream acknowledges the Keycloak project as the original reporter.",
  "affected_release" : [ {
    "product_name" : "Red Hat Build of Keycloak",
    "release_date" : "2024-06-03T00:00:00Z",
    "advisory" : "RHSA-2024:3575",
    "cpe" : "cpe:/a:redhat:build_keycloak:22"
  }, {
    "product_name" : "Red Hat Single Sign-On 7",
    "release_date" : "2024-06-03T00:00:00Z",
    "advisory" : "RHSA-2024:3572",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Build of Keycloak",
    "fix_state" : "Affected",
    "package_name" : "org.keycloak-keycloak-parent",
    "cpe" : "cpe:/a:redhat:build_keycloak:"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8",
    "fix_state" : "Not affected",
    "package_name" : "org.keycloak-keycloak-parent",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8"
  }, {
    "product_name" : "Red Hat Single Sign-On 7",
    "fix_state" : "Affected",
    "package_name" : "org.keycloak-keycloak-parent",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-3656\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-3656\nhttps://github.com/advisories/GHSA-2cww-fgmg-4jqc" ],
  "name" : "CVE-2024-3656",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}