4.9
CVE-2024-11736
- EPSS 0.02%
- Veröffentlicht 14.01.2025 09:15:20
- Zuletzt bearbeitet 15.04.2026 00:35:42
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
Org.keycloak:keycloak-quarkus-server: unrestricted admin use of system and environment variables
Unrestricted admin use of system and environment variables
A vulnerability was found in Keycloak. Admin users may have to access sensitive server environment variables and system properties through user-configurable URLs. When configuring backchannel logout URLs or admin URLs, admin users can include placeholders like ${env.VARNAME} or ${PROPNAME}. The server replaces these placeholders with the actual values of environment variables or system properties during URL processing.Mögliche Gegenmaßnahme
Keycloak Server: Install latest version
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Collection URLhttps://github.com/keycloak/keycloak
≫
Paket
keycloak
Default Statusunaffected
Version
0
Version <
26.0.8
Status
affected
HerstellerRed Hat
≫
Produkt
Red Hat build of Keycloak 26.0
Default Statusaffected
Version
26.0.8-1
Version <
*
Status
unaffected
HerstellerRed Hat
≫
Produkt
Red Hat build of Keycloak 26.0
Default Statusaffected
Version
26.0-7
Version <
*
Status
unaffected
HerstellerRed Hat
≫
Produkt
Red Hat build of Keycloak 26.0
Default Statusaffected
Version
26.0-8
Version <
*
Status
unaffected
HerstellerRed Hat
≫
Produkt
RHBK 26.0.8
Default Statusunaffected
HerstellerRed Hat
≫
Produkt
Red Hat JBoss Enterprise Application Platform 8
Default Statusunaffected
HerstellerRed Hat
≫
Produkt
Red Hat JBoss Enterprise Application Platform Expansion Pack
Default Statusunaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
LoginWeitere Schwachstelleninformationen
SystemKeycloak
≫
Produkt
Keycloak Server
Version
< 26.0.8
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.02% | 0.046 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| secalert@redhat.com | 4.9 | 1.2 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
|
CWE-526 Cleartext Storage of Sensitive Information in an Environment Variable
The product uses an environment variable to store unencrypted sensitive information.