Keycloak Relative Path Vulnerability in Admin Console Access via HAProxy

A vulnerability exists in Keycloak when the admin path is exposed to the outside while using a proxy, such as HAProxy. This configuration can be exploited by using relative, non-normalized paths to access the admin application relative to the realms path, which is intended to be exposed. As a result, the admin console may be accessible when it should not be, creating a potential security risk.

Impact

Exposing the admin console path can lead to unauthorized access, allowing users to interact with the admin interface without proper authorization.

Reproduction

To reproduce this vulnerability, configure Keycloak to use HAProxy as a reverse proxy. Then, send a request to the realms path using the 'path-as-is' option to include a relative path traversal sequence that accesses the admin console. This will bypass the intended path restrictions and expose the admin interface.