CVE-2024-10451

EPSS 0.12%
Veröffentlicht 25.11.2024 08:15:07
Zuletzt bearbeitet 15.04.2026 00:35:42
Quelle secalert@redhat.com
CVE-Watchlists
Login
Unerledigt
Login

Org.keycloak:keycloak-quarkus-server: sensitive data exposure in keycloak build process

Sensitive Data Exposure in Keycloak Build Process

A flaw was found in Keycloak. This issue occurs because sensitive runtime values, such as passwords, may be captured during the Keycloak build process and embedded as default values in bytecode, leading to unintended information disclosure. In Keycloak 26, sensitive data specified directly in environment variables during the build process is also stored as a default values, making it accessible during runtime. Indirect usage of environment variables for SPI options and Quarkus properties is also vulnerable due to unconditional expansion by PropertyMapper logic, capturing sensitive data as default values in all Keycloak versions up to 26.0.2.

Mögliche Gegenmaßnahme

Keycloak Server: Install latest version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 10

CNA 10 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 24

Default Statusaffected

Version 24.0.9-1

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 24

Default Statusaffected

Version 24-18

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 24

Default Statusaffected

Version 24-18

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 24.0.9

Default Statusunaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.0

Default Statusaffected

Version 26.0.6-2

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.0

Default Statusaffected

Version 26.0-5

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.0

Default Statusaffected

Version 26.0-6

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.0.6

Default Statusunaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Enterprise Application Platform 8

Default Statusunaffected

HerstellerRed Hat

≫

Produkt Red Hat Single Sign-On 7

Default Statusunknown

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemKeycloak

≫

Produkt Keycloak Server

Version >= 0.0.0, < 24.0.9

Version >= 26.0.0, < 26.0.6

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.12%	0.307

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
secalert@redhat.com	5.9	2.2	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-798 Use of Hard-coded Credentials

The product contains hard-coded credentials, such as a password or cryptographic key.

https://access.redhat.com/errata/RHSA-2024:10175

https://access.redhat.com/errata/RHSA-2024:10176

https://access.redhat.com/errata/RHSA-2024:10177

https://access.redhat.com/errata/RHSA-2024:10178

https://access.redhat.com/security/cve/CVE-2024-10451

https://bugzilla.redhat.com/show_bug.cgi?id=2322096

https://github.com/keycloak/keycloak/security/advisories/GHSA-v7gv-xpgf-6395

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-10451

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-10451

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-10451

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-10451