Keycloak Vulnerability Affects Sensitive Data
CVE-2024-10451

5.9MEDIUM

Key Information:

Vendor

Red Hat
Status
Red Hat Build Of Keycloak 24
Red Hat Build Of Keycloak 24.0.9
Red Hat Build Of Keycloak 26.0
Red Hat Build Of Keycloak 26.0.6
Vendor
CVE Published:
25 November 2024

What is CVE-2024-10451?

A vulnerability was identified in Keycloak that permits the exposure of sensitive runtime values, including passwords. This flaw arises during the Keycloak build process, where sensitive information specified in environment variables can be inadvertently captured as default values within the bytecode. As a result, this information may be accessible at runtime. The issue affects Keycloak versions up to 26.0.2, where environment-variable configurations for SPI options and Quarkus properties are also susceptible to unintentional data exposure, due to unconditional value expansion mechanisms within PropertyMapper logic.

Affected Version(s)

Red Hat build of Keycloak 24 24.0.9-1

Red Hat build of Keycloak 24 24-18

Red Hat build of Keycloak 24 24-18

References

https://access.redhat.com/errata/RHSA-2024:10175
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:10176
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:10177
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

.