CVE-2024-10973: Keycloak: cli option for encrypted jgroups ignored

Description

A vulnerability was found in Keycloak. The environment option `KC_CACHE_EMBEDDED_MTLS_ENABLED` does not work and the JGroups replication configuration is always used in plain text which can allow an attacker that has access to adjacent networks related to JGroups to read sensitive information.

Classification

CVE ID: CVE-2024-10973

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.48% (scored less or equal to compared to others)

EPSS Date: 2025-02-04 (when was this score calculated)

References

https://access.redhat.com/security/cve/CVE-2024-10973
https://bugzilla.redhat.com/show_bug.cgi?id=2324361

Timeline

2024-12-18 00:30:28 UTC
CVE

Keycloak: cli option for encrypted jgroups ignored
2025-02-05 22:15:25 UTC
Github Advisory Database (Maven)

[org.keycloak:keycloak-quarkus-server] Keycloak on Quarkus CLI option for encrypted JGroups ignored