Bug 2322447 (CVE-2024-10492)

Summary: CVE-2024-10492 keycloak-quarkus-server: Keycloak path trasversal
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: asoldano, bbaranow, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, darran.lofthouse, dkreling, dosoudil, drichtar, fjuma, istudens, ivassile, iweiss, jkoops, lgao, mosmerov, msochure, msvehla, nwallace, pdrozd, peholase, pesilva, pjindal, pmackay, pskopek, rmartinc, rowaters, rstancel, security-response-team, smaestri, sthorger, tom.jenkinson
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A vulnerability was found in Keycloak. A user with high privileges could read sensitive information from a Vault file that is not within the expected context. This attacker must have previous high access to the Keycloak server in order to perform resource creation, for example, an LDAP provider configuration and set up a Vault read file, which will only inform whether that file exists or not.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2024-11-21   

Description OSIDB Bzimport 2024-10-29 13:16:46 UTC 
A vulnerability was found in Keycloak. A user with high privileges could read sensitive information from a Vault file that is not within the expected context. 

In Keycloak 24.0.8, a vulnerability allows unauthorized file access through path traversal in file vault configurations due to permissive regex validation. This weakness allows reading any file to the Keycloak server, but the admin user will not be able to access the contents unless they have also compromised the remote system that the password/secret is intended to be sent to. In practical terms, the only information leaked to the admin user is the existence of the file.

Version affected: <= 26.0.2
Comment 1 errata-xmlrpc 2024-11-21 19:23:26 UTC 
This issue has been addressed in the following products:

  Red Hat build of Keycloak 24

Via RHSA-2024:10175 https://access.redhat.com/errata/RHSA-2024:10175
Comment 2 errata-xmlrpc 2024-11-21 19:23:59 UTC 
This issue has been addressed in the following products:

  Red Hat build of Keycloak 24.0.9

Via RHSA-2024:10176 https://access.redhat.com/errata/RHSA-2024:10176
Comment 3 errata-xmlrpc 2024-11-21 19:24:29 UTC 
This issue has been addressed in the following products:

  Red Hat build of Keycloak 26.0

Via RHSA-2024:10177 https://access.redhat.com/errata/RHSA-2024:10177
Comment 4 errata-xmlrpc 2024-11-21 19:24:55 UTC 
This issue has been addressed in the following products:

  Red Hat build of Keycloak 26.0.6

Via RHSA-2024:10178 https://access.redhat.com/errata/RHSA-2024:10178
Comment 5 Chess Hazlett 2024-11-27 20:35:18 UTC 
upstream commit: https://github.com/keycloak/keycloak/pull/35223/commits/9fe3c398560575b8c51e41f5ba7823b760978472