Security Issue Serviceinfo


I want to report an issue that I got with a client that are using Keycloak for account management for different platforms.


When a user login on using login form, there many request that show all the configuration from the server, you can check this using web browser tools like Firefox o Chrome and inspect on network and check for the request “/auth/admin/serverinfo”, the problem with this is that any user can grab system information that show configuration and Os Version that the service are mount on or IP and version of the DB.

The impact of this can generate that a malicious user can obtain the versions of the different services and exploit known vulnerabilities of some old or outdated component.

Let me know if someone see this issue to.

If you are worried about the security implications of exposing certain endpoints to the internet, it is recommended that you restrict access to certain routes (e.g. admin endpoints) either with the server config or using a front proxy (e.g. nginx, alb, etc)

1 Like