This issue was reported to keycloak on 2018-02-22, and was fixed in release 3.0.0 on 2018-02-28.
2018-02-25: Medium: Critical: Remote code execution via SQL Injection in the LDAP backend - updated Severity: Medium - updated Credit: Khalil Shoukry Vulnerability details: A SQL injection flaw was found in the LDAP backend of keycloak. A malicious user with database rights can inject arbitrary SQL statements into the keycloak database and cause denial of service (DoS) or remote code execution. This occurred due to insufficient validation of user input passed to the database. This issue was reported to keycloak on 2018-02-25, and was fixed in release 3.0.0 on 2018-03-01. A SQL injection flaw was found in the LDAP backend of keycloak. A malicious user with database rights can inject arbitrary SQL statements into the keycloak database and cause denial of service (DoS) or remote code execution. This occurred due to insufficient validation of user input passed to the database. This issue was reported to keycloak on 2018-02-25, and was fixed in release 3.0.0 on 2018-03-01. How likely are these issues for somebody doing a web application penetration test? Keycloak is currently used by companies in many different industries, including finance, retail, and education. As such, the majority of
SQL Injection in the LDAP backend a. SQL injection vulnerability in the LDAP backend of keycloak
b. Remote code execution vulnerability in the LDAP backend of keycloak
c. Remote code execution vulnerability that allows an anonymous attacker to inject SQL queries into keycloak
Timeline
Published on: 07/08/2022 00:15:00 UTC
Last modified on: 07/15/2022 17:10:00 UTC