Apache Camel Keycloak Component Cross-Realm Token Acceptance Bypass Vulnerability

A cross-realm token acceptance bypass vulnerability has been identified in the Keycloak component of Apache Camel, specifically in versions 4.15.0 prior to 4.18.0. The issue arises in the KeycloakSecurityPolicy, which fails to validate the issuer claim of JWT tokens against the configured realm. As a result, a token issued by one Keycloak realm can be accepted by a policy for a different realm, undermining tenant isolation. This vulnerability allows users to access data and routes intended for other tenants, potentially leading to privilege escalation.

Impact

Exploitation of this vulnerability allows for cross-tenant data access in multi-tenant SaaS applications, privilege escalation when different realms have varying role configurations, and a complete bypass of realm-based security isolation.

Reproduction

The vulnerability can be reproduced by setting up a local Keycloak instance and creating two realms. After obtaining a JWT token from one realm, it can be sent to a route protected by a KeycloakSecurityPolicy bound to a different realm. The request will succeed, demonstrating the vulnerability.

Remediation

Users are advised to upgrade to Apache Camel version 4.18.0 or later, which addresses this vulnerability.