Keycloak Server-Side Request Forgery Vulnerability via OIDC Token Endpoint Manipulation

A server-side request forgery (SSRF) vulnerability has been identified in Keycloak. This flaw allows an authenticated attacker to manipulate the 'client_session_host' parameter during refresh token requests. The vulnerability arises when a Keycloak client is set to use the 'backchannel.logout.url' with the 'application.session.host' placeholder. Exploitation of this vulnerability enables the attacker to send HTTP requests from the Keycloak server's network context, potentially accessing internal networks, cloud metadata services, or private APIs, leading to unauthorized information disclosure.

Impact

Exploitation of this vulnerability could allow an authenticated attacker to perform SSRF, manipulating the Keycloak server into making requests to internal resources or APIs that are not publicly accessible.

Reproduction

To reproduce this vulnerability, an authenticated user must first obtain a refresh token. This can be done by logging in and requesting a token. Next, the 'client_session_host' parameter must be manipulated during the refresh token request. This is possible when the Keycloak client is configured to use the 'backchannel.logout.url' with the 'application.session.host' placeholder. Once the parameter is set, the Keycloak server will send a POST request to the URL specified by the 'client_session_host' parameter, effectively probing internal networks or APIs from the server's context.