Vira Vitanska created DATALAB-2934:
--------------------------------------
Summary: Upgrade prod Keycloak
Key: DATALAB-2934
URL: https://issues.apache.org/jira/browse/DATALAB-2934
Project: Apache DataLab
Issue Type: Task
Security Level: Public (Regular Issues)
Components: DataLab Main
Reporter: Vira Vitanska
Assignee: Oleksandr Polishchuk
*Threat / Description:*
Keycloak is an open source Identity and Access Management solution targeted
towards modern applications and services. A flaw was found in Keycloak before
13.0.0, where it is possible to force the server to call out an unverified URL
using the OIDC parameter request_uri. This flaw allows an attacker to use this
parameter to execute a Server-side request forgery (SSRF) attack.
Affected Versions:
Keycloak versions prior to 13.0.0
QID Detection Logic:
This detection sends a specially-crafted GET request with request_uri parameter
where vulnerable servers will make a DNS query that will trigger the Qualys
Periscope detection mechanism.
*Impact:*
Successful exploitation of this vulnerability may allow an remote attacker
could exploit this vulnerability to execute a Blind SSRF attack by measuring
the response time to perform a port scan of the target server or internally
accessible hosts.
*Solution:*
Upgrade to [Keycloak 13.0.0 |https://www.keycloak.org/downloads.html]version or
later
----
KeyCloak is updated to v.18.0.1, but during log in/out black rectangle shows up
on DataLab WEB UI. Please, investigate who is responsible for it. An who is in
charge is supposed to get rid of this rectangle.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
