Keycloak-services: improper authorization in keycloak organization mapper allows unauthorized organization claims

A flaw was found in the Keycloak organization feature, which allows the incorrect assignment of an organization to a user if their username or email matches the organization’s domain pattern. This issue occurs at the mapper level, leading to misrepresentation in tokens. If an application relies on these claims for authorization, it may incorrectly assume a user belongs to an organization they are not a member of, potentially granting unauthorized access or privileges.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

访问控制不恰当

Keycloak 访问控制错误漏洞

Keycloak是Keycloak开源的一种开源身份和访问管理解决方案。 Keycloak存在访问控制错误漏洞，该漏洞源于组织功能中用户与组织域模式错误匹配。攻击者利用该漏洞可以错误地分配到组织，可能导致未经授权的访问。

N/A

N/A