Все бюллетени/sisyphus/ALT-PU-2026-2576-2
ALT-PU-2026-2576-2

Обновление пакета keycloak в ветке sisyphus

Версия26.5.3-alt1
Задание#407924
Опубликовано2026-02-12
Макс. серьёзностьHIGH
Серьёзность:

Закрытые проблемы (8)

BDU:2026-01704
HIGH8.1

Уязвимость компонента JSON Web Token Handler программного средства для управления идентификацией и доступом Keycloak, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Опубликовано: 2026-02-11
CVSS 3.xВЫСОКАЯ 8.1
CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CVSS 2.0ВЫСОКАЯ 8.5
CVSS:2.0/AV:N/AC:L/Au:S/C:C/I:C/A:N
Ссылки
CVE-2025-14778
MEDIUM5.4

A flaw was found in Keycloak. A significant Broken Access Control vulnerability exists in the UserManagedPermissionService (UMA Protection API). When updating or deleting a UMA policy associated with multiple resources, the authorization check only verifies the caller's ownership against the first resource in the policy's list. This allows a user (Owner A) who owns one resource (RA) to update a shared policy and modify authorization rules for other resources (e.g., RB) in that same policy, even if those other resources are owned by a different user (Owner B). This constitutes a horizontal privilege escalation.

Опубликовано: 2026-02-09Изменено: 2026-04-15
CVSS 3.xСРЕДНЯЯ 5.4
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Ссылки
CVE-2026-1486
HIGH8.8

A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider (IdP) is enabled before issuing tokens. The issuer lookup mechanism (lookupIdentityProviderFromIssuer) retrieves the IdP configuration but does not filter for isEnabled=false. If an administrator disables an IdP (e.g., due to a compromise or offboarding), an entity possessing that IdP's signing key can still generate valid JWT assertions that Keycloak accepts, resulting in the issuance of valid access tokens.

Опубликовано: 2026-02-09Изменено: 2026-04-15
CVSS 3.xВЫСОКАЯ 8.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Ссылки
CVE-2026-1529
HIGH8.1

A flaw was found in Keycloak. An attacker can exploit this vulnerability by modifying the organization ID and target email within a legitimate invitation token's JSON Web Token (JWT) payload. This lack of cryptographic signature verification allows the attacker to successfully self-register into an unauthorized organization, leading to unauthorized access.

Опубликовано: 2026-02-09Изменено: 2026-04-15
CVSS 3.xВЫСОКАЯ 8.1
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Ссылки
GHSA-37gf-gmxv-74wv
HIGH8.8

Keycloak fails to verify if an Identity Provider (IdP) is enabled before issuing tokens

Опубликовано: 2026-02-10Изменено: 2026-02-14
CVSS 3.xВЫСОКАЯ 8.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Ссылки
GHSA-fm6w-rrp3-2x4w
MEDIUM5.4

Keycloak Affected by Broken Access Control Vulnerability in the UserManagedPermissionService

Опубликовано: 2026-02-10Изменено: 2026-02-14
CVSS 3.xСРЕДНЯЯ 5.4
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Ссылки
GHSA-hcvw-475w-8g7p
HIGH8.1

Keycloak affected by improper invitation token validation

Опубликовано: 2026-02-10Изменено: 2026-02-13
CVSS 3.xВЫСОКАЯ 8.1
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Ссылки