TROYANOSYVIRUS
Retour aux CVEs

CVE-2024-10451

MEDIUM
5.9

Description

A flaw was found in Keycloak. This issue occurs because sensitive runtime values, such as passwords, may be captured during the Keycloak build process and embedded as default values in bytecode, leading to unintended information disclosure. In Keycloak 26, sensitive data specified directly in environment variables during the build process is also stored as a default values, making it accessible during runtime. Indirect usage of environment variables for SPI options and Quarkus properties is also vulnerable due to unconditional expansion by PropertyMapper logic, capturing sensitive data as default values in all Keycloak versions up to 26.0.2.

Details CVE

Score CVSS v3.15.9
SeveriteMEDIUM
Vecteur CVSSCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Vecteur d'attaqueNETWORK
ComplexiteHIGH
Privileges requisNONE
Interaction utilisateurNONE
Publie11/25/2024
Derniere modification11/25/2024
Sourcenvd
Observations honeypot0

Faiblesses (CWE)

CWE-798

References

https://access.redhat.com/errata/RHSA-2024:10175(secalert@redhat.com)
https://access.redhat.com/errata/RHSA-2024:10176(secalert@redhat.com)
https://access.redhat.com/errata/RHSA-2024:10177(secalert@redhat.com)
https://access.redhat.com/errata/RHSA-2024:10178(secalert@redhat.com)
https://access.redhat.com/security/cve/CVE-2024-10451(secalert@redhat.com)
https://bugzilla.redhat.com/show_bug.cgi?id=2322096(secalert@redhat.com)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.