Impact
A new keycloak service-api client was added in 2.5.0 in order to facilitate a new ssh portal in a future release. This client is configured with the "token exchange" permission which allows it to generate access tokens for users. A mismatched deployment between lagoon-core and lagoon-charts caused the client to be created with an empty secret.
An attacker with advanced knowledge of the Keycloak and Lagoon ecosystems would be able to craft an exploit that allows them to obtain an access token for any user in the lagoon realm, including admin/platform-owner users. They would then be able to access all fields/mutations on the Lagoon GraphQL api.
We're not aware of any methods by which an attacker could 1) gain admin access to the keycloak master realm or 2) access the lagoon realm settings via the keycloak UI/API.
Patches
This issue has been addressed in 2.6.0, and further improvements will follow in a subsequent release.
Workarounds
The immediate mitigation is to log in to Keycloak, go to the service-api client, and click Regenerate secret.
For more information
If you have any questions or comments about this advisory:
rocketeerbkw Analyst
Impact
A new keycloak
service-apiclient was added in 2.5.0 in order to facilitate a new ssh portal in a future release. This client is configured with the "token exchange" permission which allows it to generate access tokens for users. A mismatched deployment between lagoon-core and lagoon-charts caused the client to be created with an empty secret.An attacker with advanced knowledge of the Keycloak and Lagoon ecosystems would be able to craft an exploit that allows them to obtain an access token for any user in the
lagoonrealm, includingadmin/platform-ownerusers. They would then be able to access all fields/mutations on the Lagoon GraphQL api.We're not aware of any methods by which an attacker could 1) gain admin access to the keycloak
masterrealm or 2) access thelagoonrealm settings via the keycloak UI/API.Patches
This issue has been addressed in 2.6.0, and further improvements will follow in a subsequent release.
Workarounds
The immediate mitigation is to log in to Keycloak, go to the
service-apiclient, and clickRegenerate secret.For more information
If you have any questions or comments about this advisory: