You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@datalab.apache.org by "Vira Vitanska (Jira)" <ji...@apache.org> on 2022/06/17 06:25:00 UTC

[jira] [Created] (DATALAB-2858) Upgrade keycloak

Vira Vitanska created DATALAB-2858:
--------------------------------------

             Summary: Upgrade keycloak 
                 Key: DATALAB-2858
                 URL: https://issues.apache.org/jira/browse/DATALAB-2858
             Project: Apache DataLab
          Issue Type: Task
      Security Level: Public (Regular Issues)
          Components: DataLab Main
            Reporter: Vira Vitanska
            Assignee: Leonid Frolov


*Threat / Description:*
Keycloak is an open source Identity and Access Management solution targeted towards modern applications and services. A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack.

 

Affected Versions:
Keycloak versions prior to 13.0.0

QID Detection Logic:
This detection sends a specially-crafted GET request with request_uri parameter where vulnerable servers will make a DNS query that will trigger the Qualys Periscope detection mechanism.

 
*Impact:*
Successful exploitation of this vulnerability may allow an remote attacker could exploit this vulnerability to execute a Blind SSRF attack by measuring the response time to perform a port scan of the target server or internally accessible hosts.

 
*Solution:*
Upgrade to [Keycloak 13.0.0 |https://www.keycloak.org/downloads.html]version or later



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@datalab.apache.org
For additional commands, e-mail: dev-help@datalab.apache.org