Keycloak UMA 2.0 Protection API Improper Role Check Vulnerability Allowing Information Disclosure

A vulnerability exists in Keycloak's User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets. The endpoint does not properly enforce the 'uma_protection' role requirement. As a result, any authenticated user with a token from a resource server client can enumerate all permission tickets in the system, leading to unauthorized information disclosure.

Impact

Exploitation of this vulnerability allows for unauthorized enumeration of permission tickets, potentially disclosing sensitive information about permissions and access rights within the system.

Reproduction

To reproduce this vulnerability, an authenticated user must obtain a valid token from a resource server client that does not include the 'uma_protection' role. Once the token is acquired, the user can make requests to the UMA 2.0 Protection API endpoint for permission tickets. The absence of the 'uma_protection' role will not prevent access, allowing the user to enumerate all permission tickets in the system.