CVE-2024-10451: Org.keycloak:keycloak-quarkus-server: sensitive data exposure in keycloak build process

Description

A flaw was found in Keycloak. This issue occurs because sensitive runtime values, such as passwords, may be captured during the Keycloak build process and embedded as default values in bytecode, leading to unintended information disclosure. In Keycloak 26, sensitive data specified directly in environment variables during the build process is also stored as a default values, making it accessible during runtime. Indirect usage of environment variables for SPI options and Quarkus properties is also vulnerable due to unconditional expansion by PropertyMapper logic, capturing sensitive data as default values in all Keycloak versions up to 26.0.2.

Classification

CVE ID: CVE-2024-10451

Affected Products

Vendor: Red Hat

Product: Red Hat build of Keycloak 24

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 12.38% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://access.redhat.com/errata/RHSA-2024:10175
https://access.redhat.com/errata/RHSA-2024:10176
https://access.redhat.com/errata/RHSA-2024:10177
https://access.redhat.com/errata/RHSA-2024:10178
https://access.redhat.com/security/cve/CVE-2024-10451
https://bugzilla.redhat.com/show_bug.cgi?id=2322096

Timeline

2024-11-28 00:11:42 UTC
CVE

Org.keycloak:keycloak-quarkus-server: sensitive data exposure in keycloak build process