Org.keycloak/keycloak-services: keycloak: missing check on disabled client for docker registry protocol

A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a result, previously valid credentials can still be used to obtain authentication tokens. This weakens administrative controls and could allow unintended access to container registry resources.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

授权机制不恰当

Keycloak 授权问题漏洞

Keycloak是Keycloak开源的一种开源身份和访问管理解决方案。 Keycloak存在授权问题漏洞，该漏洞源于Docker v2身份验证端点存在逻辑问题，即使Docker注册表客户端被管理员禁用后仍会颁发令牌，可能导致对容器注册表资源的意外访问。

N/A

N/A