← Zuruck zu CVEs

CVE-2024-10451

MEDIUM

5.9

Beschreibung

A flaw was found in Keycloak. This issue occurs because sensitive runtime values, such as passwords, may be captured during the Keycloak build process and embedded as default values in bytecode, leading to unintended information disclosure. In Keycloak 26, sensitive data specified directly in environment variables during the build process is also stored as a default values, making it accessible during runtime. Indirect usage of environment variables for SPI options and Quarkus properties is also vulnerable due to unconditional expansion by PropertyMapper logic, capturing sensitive data as default values in all Keycloak versions up to 26.0.2.

CVE Details

CVSS v3.1 Bewertung5.9

SchweregradMEDIUM

CVSS VektorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

AngriffsvektorNETWORK

KomplexitatHIGH

Erforderliche PrivilegienNONE

BenutzerinteraktionNONE

Veroffentlicht11/25/2024

Zuletzt geandert11/25/2024

Quellenvd

Honeypot-Sichtungen0

Schwachen (CWE)

CWE-798

Referenzen

https://access.redhat.com/errata/RHSA-2024:10175(secalert@redhat.com)

https://access.redhat.com/errata/RHSA-2024:10176(secalert@redhat.com)

https://access.redhat.com/errata/RHSA-2024:10177(secalert@redhat.com)

https://access.redhat.com/errata/RHSA-2024:10178(secalert@redhat.com)

https://access.redhat.com/security/cve/CVE-2024-10451(secalert@redhat.com)

https://bugzilla.redhat.com/show_bug.cgi?id=2322096(secalert@redhat.com)

IOC Korrelationen

Keine Korrelationen erfasst

This product uses data from the NVD API but is not endorsed or certified by the NVD.