Show filters
6 Total Results
Displaying 1-6 of 6
Sort by:
Attacker Value
Unknown

CVE-2024-11736

Disclosure Date: January 14, 2025 (last updated January 14, 2025)
A vulnerability was found in Keycloak. Admin users may have to access sensitive server environment variables and system properties through user-configurable URLs. When configuring backchannel logout URLs or admin URLs, admin users can include placeholders like ${env.VARNAME} or ${PROPNAME}. The server replaces these placeholders with the actual values of environment variables or system properties during URL processing.
Attacker Value
Unknown

CVE-2024-11734

Disclosure Date: January 14, 2025 (last updated January 14, 2025)
A denial of service vulnerability was found in Keycloak that could allow an administrative user with the right to change realm settings to disrupt the service. This action is done by modifying any of the security headers and inserting newlines, which causes the Keycloak server to write to a request that has already been terminated, leading to the failure of said request.
Attacker Value
Unknown

CVE-2024-9666

Disclosure Date: November 25, 2024 (last updated January 05, 2025)
A vulnerability was found in the Keycloak Server. The Keycloak Server is vulnerable to a denial of service (DoS) attack due to improper handling of proxy headers. When Keycloak is configured to accept incoming proxy headers, it may accept non-IP values, such as obfuscated identifiers, without proper validation. This issue can lead to costly DNS resolution operations, which an attacker could exploit to tie up IO threads and potentially cause a denial of service. The attacker must have access to send requests to a Keycloak instance that is configured to accept proxy headers, specifically when reverse proxies do not overwrite incoming headers, and Keycloak is configured to trust these headers.
0
Attacker Value
Unknown

CVE-2024-10492

Disclosure Date: November 25, 2024 (last updated January 05, 2025)
A vulnerability was found in Keycloak. A user with high privileges could read sensitive information from a Vault file that is not within the expected context. This attacker must have previous high access to the Keycloak server in order to perform resource creation, for example, an LDAP provider configuration and set up a Vault read file, which will only inform whether that file exists or not.
0
Attacker Value
Unknown

CVE-2024-10451

Disclosure Date: November 25, 2024 (last updated January 05, 2025)
A flaw was found in Keycloak. This issue occurs because sensitive runtime values, such as passwords, may be captured during the Keycloak build process and embedded as default values in bytecode, leading to unintended information disclosure. In Keycloak 26, sensitive data specified directly in environment variables during the build process is also stored as a default values, making it accessible during runtime. Indirect usage of environment variables for SPI options and Quarkus properties is also vulnerable due to unconditional expansion by PropertyMapper logic, capturing sensitive data as default values in all Keycloak versions up to 26.0.2.
0
Attacker Value
Unknown

CVE-2024-10270

Disclosure Date: November 25, 2024 (last updated January 05, 2025)
A vulnerability was found in the Keycloak-services package. If untrusted data is passed to the SearchQueryUtils method, it could lead to a denial of service (DoS) scenario by exhausting system resources due to a Regex complexity.
0