Replies: 2 comments
-
|
I think this would be a nice warning to have somewhere. |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
Please follow the disclosure procedure (available at https://github.com/keycloak/keycloak/security) if you believe this may be a possible security issue. Since this is already public, pinging @stianst and @rmartinc, who appear to have published advisories most recently. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
I'm using keycloak 26.3.2
I have tested a user with view-users/manage-users role where that user attempted to grant themself roles like manage-realm and it failed and I believe this is expected behavior.
If I create a group called User Admin with view-users/manage-users roles and the user attempts to grant manage-realm to that group, it also fails I believe this is expected behavior.
However - if I create a group called Realm Admin which has manage-realm permissions. The user with manage-user permissions is able to grant themself the Realm Admin group which seems to be a privilege escalation. So it seems like there is no check being performed when granting groups to users to ensure that group does not contain any restricted roles.
The workaround to this issue seems to be to never put realm-management roles in a group.
Beta Was this translation helpful? Give feedback.
All reactions