CVE-2024-10492

Keycloak-quarkus-server: keycloak path trasversal

CVSS 2.7 LOWEPSS 0.7%CWE-73

Vexday Risk Score

8Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 2.7EPSS 0.7%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Lifecycle

25 Nov 2024Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

A vulnerability was found in Keycloak. A user with high privileges could read sensitive information from a Vault file that is not within the expected context. This attacker must have previous high access to the Keycloak server in order to perform resource creation, for example, an LDAP provider configuration and set up a Vault read file, which will only inform whether that file exists or not.

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Affected products

keycloakRed Hat · Red Hat build of Keycloak 24 Red Hat · Red Hat build of Keycloak 24.0.9 Red Hat · Red Hat build of Keycloak 26.0 Red Hat · Red Hat build of Keycloak 26.0.6 Red Hat · Red Hat JBoss Enterprise Application Platform 8 Red Hat · Red Hat JBoss Enterprise Application Platform Expansion Pack Red Hat · Red Hat Single Sign-On 7

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://access.redhat.com/errata/RHSA-2024:10175 https://access.redhat.com/errata/RHSA-2024:10176 https://access.redhat.com/errata/RHSA-2024:10177 https://access.redhat.com/errata/RHSA-2024:10178 https://access.redhat.com/security/cve/CVE-2024-10492 https://bugzilla.redhat.com/show_bug.cgi?id=2322447 https://github.com/keycloak/keycloak/issues/35215 https://github.com/keycloak/keycloak/pull/35223