5.9
CVE-2024-10451
- EPSS 0.09%
- Published 25.11.2024 08:15:07
- Last modified 25.11.2024 08:15:07
- Source secalert@redhat.com
- Teams watchlist Login
- Open Login
A flaw was found in Keycloak. This issue occurs because sensitive runtime values, such as passwords, may be captured during the Keycloak build process and embedded as default values in bytecode, leading to unintended information disclosure. In Keycloak 26, sensitive data specified directly in environment variables during the build process is also stored as a default values, making it accessible during runtime. Indirect usage of environment variables for SPI options and Quarkus properties is also vulnerable due to unconditional expansion by PropertyMapper logic, capturing sensitive data as default values in all Keycloak versions up to 26.0.2.
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
This information is available to logged-in users. Login
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
VendorRed Hat
≫
Product
Red Hat build of Keycloak 24
Default Statusaffected
Version <
*
Version
24.0.9-1
Status
unaffected
VendorRed Hat
≫
Product
Red Hat build of Keycloak 24
Default Statusaffected
Version <
*
Version
24-18
Status
unaffected
VendorRed Hat
≫
Product
Red Hat build of Keycloak 24
Default Statusaffected
Version <
*
Version
24-18
Status
unaffected
VendorRed Hat
≫
Product
Red Hat build of Keycloak 24.0.9
Default Statusunaffected
VendorRed Hat
≫
Product
Red Hat build of Keycloak 26.0
Default Statusaffected
Version <
*
Version
26.0.6-2
Status
unaffected
VendorRed Hat
≫
Product
Red Hat build of Keycloak 26.0
Default Statusaffected
Version <
*
Version
26.0-5
Status
unaffected
VendorRed Hat
≫
Product
Red Hat build of Keycloak 26.0
Default Statusaffected
Version <
*
Version
26.0-6
Status
unaffected
VendorRed Hat
≫
Product
Red Hat build of Keycloak 26.0.6
Default Statusunaffected
VendorRed Hat
≫
Product
Red Hat JBoss Enterprise Application Platform 8
Default Statusunaffected
VendorRed Hat
≫
Product
Red Hat Single Sign-On 7
Default Statusunknown
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.09% | 0.264 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| secalert@redhat.com | 5.9 | 2.2 | 3.6 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
|
CWE-798 Use of Hard-coded Credentials
The product contains hard-coded credentials, such as a password or cryptographic key.