CVE-2024-10492

Keycloak-quarkus-server: keycloak path trasversal

CVSS 2.7 LOWEPSS 0.7%CWE-73

Vexday Risk Score

8Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 2.7EPSS 0.7%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Ciclo de vida

25 nov 2024Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

A vulnerability was found in Keycloak. A user with high privileges could read sensitive information from a Vault file that is not within the expected context. This attacker must have previous high access to the Keycloak server in order to perform resource creation, for example, an LDAP provider configuration and set up a Vault read file, which will only inform whether that file exists or not.

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Productos afectados

keycloakRed Hat · Red Hat build of Keycloak 24 Red Hat · Red Hat build of Keycloak 24.0.9 Red Hat · Red Hat build of Keycloak 26.0 Red Hat · Red Hat build of Keycloak 26.0.6 Red Hat · Red Hat JBoss Enterprise Application Platform 8 Red Hat · Red Hat JBoss Enterprise Application Platform Expansion Pack Red Hat · Red Hat Single Sign-On 7

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://access.redhat.com/errata/RHSA-2024:10175 https://access.redhat.com/errata/RHSA-2024:10176 https://access.redhat.com/errata/RHSA-2024:10177 https://access.redhat.com/errata/RHSA-2024:10178 https://access.redhat.com/security/cve/CVE-2024-10492 https://bugzilla.redhat.com/show_bug.cgi?id=2322447 https://github.com/keycloak/keycloak/issues/35215 https://github.com/keycloak/keycloak/pull/35223