Keycloak-server: sensitive headers shown in the http access logs

A flaw was found in Keycloak. When the logging format is configured to a verbose, user-supplied pattern (such as the pre-defined 'long' pattern), sensitive headers including Authorization and Cookie are disclosed to the logs in cleartext. An attacker with read access to the log files can extract these credentials (e.g., bearer tokens, session cookies) and use them to impersonate users, leading to a full account compromise.

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

日志输出的转义处理不恰当

Keycloak 安全漏洞

Keycloak是Keycloak开源的一种开源身份和访问管理解决方案。 Keycloak存在安全漏洞，该漏洞源于当日志格式配置为详细用户提供模式时，敏感标头会以明文形式泄露到日志中，可能导致具有日志文件读取权限的攻击者提取凭据并冒充用户，造成账户完全接管。

N/A

N/A