Security Issue Serviceinfo

R1314 · July 29, 2021, 7:39pm

Hi,

I want to report an issue that I got with a client that are using Keycloak for account management for different platforms.

Introduction:

When a user login on using login form, there many request that show all the configuration from the server, you can check this using web browser tools like Firefox o Chrome and inspect on network and check for the request “/auth/admin/serverinfo”, the problem with this is that any user can grab system information that show configuration and Os Version that the service are mount on or IP and version of the DB.

The impact of this can generate that a malicious user can obtain the versions of the different services and exploit known vulnerabilities of some old or outdated component.

Let me know if someone see this issue to.

xgp · July 29, 2021, 8:08pm

If you are worried about the security implications of exposing certain endpoints to the internet, it is recommended that you restrict access to certain routes (e.g. admin endpoints) either with the server config or using a front proxy (e.g. nginx, alb, etc)

Topic		Replies	Views
Problem accessing the link included in the password reset email from Keycloak when the configuration of the Keycloak admin console is set to private. Configuring the server admin-console	0	287	December 13, 2023
Regarding front end url in keycloak 20.0.2	0	315	January 13, 2023
Exposed path recommendations (reverse proxy) Securing applications admin-console	2	1068	December 20, 2022
CORS issue on Keycloak Login Form Configuring the server	0	443	May 25, 2021
How to restrict admin access to internal IPs? Securing applications admin-console	0	776	June 22, 2022

Security Issue Serviceinfo

Related Topics