Skip to content

CVE-2024-10451 Sensitive Data Exposure in Keycloak Build Process #35213

New issue
New issue
Closed
#35246
Closed
CVE-2024-10451 Sensitive Data Exposure in Keycloak Build Process#35213
#35246
Labels
kind/bugCategorizes a PR related to a bugkind/cveIssues identified as CVEs on third-party dependencies, or issues which Keycloak is not affectedrelease/26.0.6release/26.1.0
@stianst

Description

@stianst
stianst
opened on Nov 22, 2024

Description

A flaw was found in Keycloak. This issue occurs because sensitive runtime values, such as passwords, may be captured during the Keycloak build process and embedded as default values in bytecode, leading to unintended information disclosure. In Keycloak 26, sensitive data specified directly in environment variables during the build process is also stored as a default values, making it accessible during runtime. Indirect usage of environment variables for SPI options and Quarkus properties is also vulnerable due to unconditional expansion by PropertyMapper logic, capturing sensitive data as default values.

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    kind/bugCategorizes a PR related to a bugkind/cveIssues identified as CVEs on third-party dependencies, or issues which Keycloak is not affectedrelease/26.0.6release/26.1.0

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions