Keycloak User Resource Component Information Disclosure Vulnerability

A vulnerability exists in Keycloak's UserResource component, allowing an authenticated user with the view-users role to access a specific administrative endpoint and retrieve user attributes that are meant to be hidden. This flaw leads to unauthorized disclosure of sensitive user information, as it violates the privacy settings intended to keep these attributes concealed from both users and administrators.

Impact

Exploitation of this vulnerability could result in the unauthorized disclosure of private user attributes that are disabled and not meant to be viewed by any context.

Reproduction

To reproduce this vulnerability, an authenticated user with the view-users role must access the administrative endpoint /admin/realms/{realm}/users/{UUID}/unmanagedAttributes. This endpoint will return user attributes that are configured to be hidden, thereby disclosing information that should not be accessible.