Keycloak Vulnerability Exposes Sensitive Information via Unsecured JGroups Configuration

CVE-2024-10973

5.7MEDIUM

Key Information

Vendor: Red Hat
Vendor: CVE Published:; 17 December 2024

Summary

CVE-2024-10973 identifies a significant vulnerability in Keycloak where the configuration option KC_CACHE_EMBEDDED_MTLS_ENABLED does not function as intended, resulting in the JGroups replication configuration being exposed in plain text. This security oversight enables attackers on adjacent networks linked to JGroups to potentially intercept sensitive information. As organizations increasingly rely on secure communication protocols, this vulnerability highlights the critical need for proper configuration to prevent data breaches and ensure the integrity of sensitive data.

References

https://access.redhat.com/security/cve/CVE-2024-10973

https://bugzilla.redhat.com/show_bug.cgi?id=2324361

CVSS V3.1

Score:

5.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 17, 2024

Collectors

NVD Database