The LDAP testing endpoint allows to change the Connection URL independently of and without having to re-enter the currently configured LDAP bind credentials. An attacker with admin access (permission manage-realm) can change the LDAP host URL ("Connection URL") to a machine they control. The Keycloak server will connect to the attacker's host and try to authenticate with the configured credentials, thus leaking them to the attacker. As a consequence, an attacker who has compromised the admin console/compromised a user with sufficient privileges can leak domain credentials and can now attack the domain.
Special thanks to Simon Wessling for reporting this issue and helping us improve our project
{ "nvd_published_at": null, "cwe_ids": [ "CWE-276" ], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2024-06-21T15:52:38Z" }