https://issues.redhat.com/browse/KEYCLOAK-19422 https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/theme/ClasspathThemeResourceProviderFactory.java The ThemeResource resource exposes an endpoint for fetching theme resources: @GET @Path("/{version}/{themeType}/{themeName}/{path:.*}") public Response getResource(@PathParam("version") String version, @PathParam("themeType") String themType, @PathParam("themeName") String themeName, @PathParam("path") String path) { ... } The classbased resource loaders are implemented as: public InputStream getResourceAsStream(String path) { return classLoader.getResourceAsStream(resourceRoot + path); } This has no checks for the path parameter, allowing relative traversals like ../. By sending requests for theme resources with a relative path from an external HTTP client, the client will receive the content of random files if available. I practice this exposes any files packages within the deployed module, including other resources available as a classloader resource. Disallowing double dots in the path component is probably the easiest fix
This vulnerability is out of security support scope for the following products: * Red Hat AMQ Online Please refer to https://access.redhat.com/support/policy/updates/jboss_notes and https://access.redhat.com/solutions/5941551 for more details.