Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS02bXB4LXBtZ3Atd3c0Oc4ABCiJ

Keycloak vulnerable to Cleartext Transmission of Sensitive Information

A vulnerability was found in Keycloak. The environment option KC_CACHE_EMBEDDED_MTLS_ENABLED does not work and the JGroups replication configuration is always used in plain text which can allow an attacker that has access to adjacent networks related to JGroups to read sensitive information.

Permalink: https://github.com/advisories/GHSA-6mpx-pmgp-ww49
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02bXB4LXBtZ3Atd3c0Oc4ABCiJ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 29 days ago
Updated: 28 days ago

CVSS Score: 5.7
CVSS vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Percentage: 0.00043
EPSS Percentile: 0.10865

Identifiers: GHSA-6mpx-pmgp-ww49, CVE-2024-10973
References:

Repository: https://github.com/keycloak/keycloak
Blast Radius: 8.0

Affected Packages

maven:org.keycloak:keycloak-quarkus-server

Dependent packages: 5
Dependent repositories: 25
Downloads:
Affected Version Ranges: >= 25.0.0, < 26.0.6
Fixed in: 26.0.6
All affected versions: 25.0.0, 25.0.1, 25.0.2, 25.0.3, 25.0.4, 25.0.5, 25.0.6, 26.0.0, 26.0.1, 26.0.2, 26.0.4, 26.0.5
All unaffected versions: 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 13.0.0, 13.0.1, 14.0.0, 15.0.0, 15.0.1, 15.0.2, 15.1.0, 15.1.1, 16.0.0, 16.1.0, 16.1.1, 17.0.0, 17.0.1, 18.0.0, 18.0.1, 18.0.2, 19.0.0, 19.0.1, 19.0.2, 19.0.3, 20.0.0, 20.0.1, 20.0.2, 20.0.3, 20.0.4, 20.0.5, 21.0.0, 21.0.1, 21.0.2, 21.1.0, 21.1.1, 21.1.2, 22.0.0, 22.0.1, 22.0.2, 22.0.3, 22.0.4, 22.0.5, 23.0.0, 23.0.1, 23.0.2, 23.0.3, 23.0.4, 23.0.5, 23.0.6, 23.0.7, 24.0.0, 24.0.1, 24.0.2, 24.0.3, 24.0.4, 24.0.5, 26.0.6, 26.0.7