MEDIUM 5.7 Maven
Duplicate Advisory: Keycloak vulnerable to Cleartext Transmission of Sensitive Information
GHSA-6mpx-pmgp-ww49
Published ยท Modified
Description
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-g6qq-c9f9-2772. This link is maintained to preserve external references.
Original Description
A vulnerability was found in Keycloak. The environment option KC_CACHE_EMBEDDED_MTLS_ENABLED does not work and the JGroups replication configuration is always used in plain text which can allow an attacker that has access to adjacent networks related to JGroups to read sensitive information.
References
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-10973
- WEB https://github.com/keycloak/keycloak/issues/28750
- WEB https://github.com/keycloak/keycloak/issues/34644
- WEB https://github.com/keycloak/keycloak/pull/28756
- WEB https://github.com/keycloak/keycloak/pull/34668
- WEB https://github.com/keycloak/keycloak/commit/071032a108bd9e9fce9e66d00c36d56bd4b334df
- WEB https://github.com/keycloak/keycloak/commit/36defd5f33b2da5d705f179bbaa21c28b13a9996
- WEB https://access.redhat.com/security/cve/CVE-2024-10973
- WEB https://bugzilla.redhat.com/show_bug.cgi?id=2324361
- PACKAGE https://github.com/keycloak/keycloak
Ready to move
Start Securing
Free, no credit card | First findings in minutes