CVE-2024-10492
LOWKeycloak < 26.0.6 - Authenticated Sensitive Information Disclosure via Vault File Access
Title source: llmDescription
A vulnerability was found in Keycloak. A user with high privileges could read sensitive information from a Vault file that is not within the expected context. This attacker must have previous high access to the Keycloak server in order to perform resource creation, for example, an LDAP provider configuration and set up a Vault read file, which will only inform whether that file exists or not.
References (8)
Core 8
Core References
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:10175
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:10176
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:10177
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:10178
Vendor Advisory vdb-entry
x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2024-10492
Issue Tracking issue-tracking
x_refsource_redhat
https://bugzilla.redhat.com/show_bug.cgi?id=2322447
Scores
CVSS v3
2.7
EPSS
0.0017
EPSS Percentile
38.1%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-73
Status
published
Products (11)
org.keycloak/keycloak-quarkus-server
0 - 26.0.6Maven
Red Hat/Red Hat build of Keycloak 24
24-18
Red Hat/Red Hat build of Keycloak 24
24.0.9-1
Red Hat/Red Hat build of Keycloak 24.0.9
Red Hat/Red Hat build of Keycloak 26.0
26.0-5
Red Hat/Red Hat build of Keycloak 26.0
26.0-6
Red Hat/Red Hat build of Keycloak 26.0
26.0.6-2
Red Hat/Red Hat build of Keycloak 26.0.6
Red Hat/Red Hat JBoss Enterprise Application Platform 8
Red Hat/Red Hat JBoss Enterprise Application Platform Expansion Pack
... and 1 more
Published
Nov 25, 2024
Tracked Since
Feb 18, 2026