CVE-2016-8629

Vulnerability

Red Hat Keycloak versions before 2.4.0 do not correctly enforce cross-realm permission checks when processing service account user deletion requests via the REST API [1][2][3][4]. The vulnerability exists in the REST server endpoint that handles user deletion; the code path fails to restrict the scope of a service account's authorization to its own realm, enabling a request to specify a user in a different realm that should not be accessible [4].

Exploitation

An attacker must possess a valid service account within any realm of the Keycloak instance [1][2][3][4]. No additional authentication or privileges beyond standard service account authentication are required. The attacker crafts a REST API DELETE request targeting a user in a separate realm, which the flawed permission check allows [4].

Impact

Successful exploitation allows the attacker to delete any user account in any realm managed by the same Keycloak instance [1][2][3][4]. This results in unauthorized deletion of user identities, causing loss of availability for those users and potential service disruption for applications relying on those accounts.

Mitigation

The issue was fixed in Red Hat Keycloak version 2.4.0, released with RHSA-2017:0872 and RHSA-2017:0873 [1][2]. Users should upgrade to version 2.4.0 or later. Only service accounts that have been explicitly granted the necessary permissions should be allowed to delete users, and administrators should review existing service account configurations. No workaround is available for unpatched versions.