KeyCloak Information Disclosure (CVE-2020-27838)
Description
Keycloak is an open source identity and access management solution. CVE-2020-27838 is an authentication bypass vulnerability that allows unauthenticated attackers to retrieve client secrets through the admin REST API. This occurs because certain API endpoints fail to properly enforce authentication requirements, exposing sensitive credential information that should only be accessible to authenticated administrators.
Remediation
Upgrade Keycloak to version 12.0.0 or later, which addresses this vulnerability. Follow these steps:
1. Review your current Keycloak version and plan the upgrade during a maintenance window
2. Back up your Keycloak database and configuration files
3. Download the latest stable version from the official Keycloak website
4. Follow the official migration guide to upgrade your installation
5. After upgrading, verify that unauthenticated access to admin REST API endpoints is properly blocked
6. Rotate all client secrets as a precautionary measure, as they may have been exposed
7. Review access logs for any suspicious API requests to admin endpoints prior to the upgrade
As a temporary mitigation if immediate upgrade is not possible, implement network-level access controls to restrict access to Keycloak admin endpoints to trusted IP addresses only.