Search

Find a vulnerability

Search criteria

    8 vulnerabilities found for Red Hat build of Keycloak 24.0.9 by Red Hat

    CVE-2024-9666 (GCVE-0-2024-9666)

    Vulnerability from nvd – Published: 2024-11-25 07:29 – Updated: 2025-12-22 06:09
    VLAI
    Title
    Org.keycloak/keycloak-quarkus-server: keycloak proxy header handling denial-of-service (dos) vulnerability
    Summary
    A vulnerability was found in the Keycloak Server. The Keycloak Server is vulnerable to a denial of service (DoS) attack due to improper handling of proxy headers. When Keycloak is configured to accept incoming proxy headers, it may accept non-IP values, such as obfuscated identifiers, without proper validation. This issue can lead to costly DNS resolution operations, which an attacker could exploit to tie up IO threads and potentially cause a denial of service. The attacker must have access to send requests to a Keycloak instance that is configured to accept proxy headers, specifically when reverse proxies do not overwrite incoming headers, and Keycloak is configured to trust these headers.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2024:10175 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2024:10176 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2024:10177 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2024:10178 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/security/cve/CVE-2024-9666 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2317440 issue-trackingx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    Affected: 0 , < 24.0.9 (semver)
    Affected: 25.0.0 , < 26.0.6 (semver)
    Red Hat Red Hat build of Keycloak 24 Unaffected: 24.0.9-1 , < * (rpm)
        cpe:/a:redhat:build_keycloak:24::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 24 Unaffected: 24-18 , < * (rpm)
        cpe:/a:redhat:build_keycloak:24::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 24.0.9     cpe:/a:redhat:build_keycloak:24
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.0 Unaffected: 26.0.6-2 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.0::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.0 Unaffected: 26.0-5 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.0::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.0 Unaffected: 26.0-6 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.0::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.0.6     cpe:/a:redhat:build_keycloak:26
    Create a notification for this product.
    Red Hat Red Hat JBoss Enterprise Application Platform 8     cpe:/a:redhat:jboss_enterprise_application_platform:8
    Create a notification for this product.
    Date Public
    2024-11-21 16:45
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-9666",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-25T17:14:55.721958Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-25T17:15:56.948Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/keycloak/keycloak",
              "defaultStatus": "unaffected",
              "packageName": "keycloak",
              "versions": [
                {
                  "lessThan": "24.0.9",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "26.0.6",
                  "status": "affected",
                  "version": "25.0.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:24::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 24",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "24.0.9-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:24::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 24",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "24-18",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:24::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 24",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "24-18",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:24"
              ],
              "defaultStatus": "unaffected",
              "packageName": "org.keycloak/keycloak-quarkus-server",
              "product": "Red Hat build of Keycloak 24.0.9",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.0::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 26.0",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.0.6-2",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.0::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.0",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.0-5",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.0::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 26.0",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.0-6",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26"
              ],
              "defaultStatus": "unaffected",
              "packageName": "org.keycloak/keycloak-quarkus-server",
              "product": "Red Hat build of Keycloak 26.0.6",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
              "cpes": [
                "cpe:/a:redhat:jboss_enterprise_application_platform:8"
              ],
              "defaultStatus": "unaffected",
              "packageName": "org.keycloak/keycloak-quarkus-server",
              "product": "Red Hat JBoss Enterprise Application Platform 8",
              "vendor": "Red Hat"
            }
          ],
          "datePublic": "2024-11-21T16:45:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was found in the Keycloak Server. The Keycloak Server is vulnerable to a denial of service (DoS) attack due to improper handling of proxy headers. When Keycloak is configured to accept incoming proxy headers, it may accept non-IP values, such as obfuscated identifiers, without proper validation. This issue can lead to costly DNS resolution operations, which an attacker could exploit to tie up IO threads and potentially cause a denial of service.\nThe attacker must have access to send requests to a Keycloak instance that is configured to accept proxy headers, specifically when reverse proxies do not overwrite incoming headers, and Keycloak is configured to trust these headers."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Low"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-444",
                  "description": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-22T06:09:19.514Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2024:10175",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2024:10175"
            },
            {
              "name": "RHSA-2024:10176",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2024:10176"
            },
            {
              "name": "RHSA-2024:10177",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2024:10177"
            },
            {
              "name": "RHSA-2024:10178",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2024:10178"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2024-9666"
            },
            {
              "name": "RHBZ#2317440",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2317440"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-10-08T22:25:08.077Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2024-11-21T16:45:00.000Z",
              "value": "Made public."
            }
          ],
          "title": "Org.keycloak/keycloak-quarkus-server: keycloak proxy header handling denial-of-service (dos) vulnerability",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2024-9666",
        "datePublished": "2024-11-25T07:29:52.073Z",
        "dateReserved": "2024-10-08T22:36:23.598Z",
        "dateUpdated": "2025-12-22T06:09:19.514Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-10492 (GCVE-0-2024-10492)

    Vulnerability from nvd – Published: 2024-11-25 07:37 – Updated: 2026-05-06 17:57
    VLAI
    Title
    Keycloak-quarkus-server: keycloak path trasversal
    Summary
    A vulnerability was found in Keycloak. A user with high privileges could read sensitive information from a Vault file that is not within the expected context. This attacker must have previous high access to the Keycloak server in order to perform resource creation, for example, an LDAP provider configuration and set up a Vault read file, which will only inform whether that file exists or not.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-73 - External Control of File Name or Path
    Assigner
    Impacted products
    Vendor Product Version
    Affected: 0 , < 26.0.6 (semver)
    Red Hat Red Hat build of Keycloak 24 Unaffected: 24.0.9-1 , < * (rpm)
        cpe:/a:redhat:build_keycloak:24::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 24 Unaffected: 24-18 , < * (rpm)
        cpe:/a:redhat:build_keycloak:24::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 24.0.9     cpe:/a:redhat:build_keycloak:24
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.0 Unaffected: 26.0.6-2 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.0::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.0 Unaffected: 26.0-5 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.0::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.0 Unaffected: 26.0-6 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.0::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.0.6     cpe:/a:redhat:build_keycloak:26
    Create a notification for this product.
    Red Hat Red Hat JBoss Enterprise Application Platform 8     cpe:/a:redhat:jboss_enterprise_application_platform:8
    Create a notification for this product.
    Red Hat Red Hat JBoss Enterprise Application Platform Expansion Pack     cpe:/a:redhat:jbosseapxp
    Create a notification for this product.
    Red Hat Red Hat Single Sign-On 7     cpe:/a:redhat:red_hat_single_sign_on:7
    Create a notification for this product.
    Date Public
    2024-11-21 16:56
    Credits
    Red Hat would like to thank Brahim Raddahi (is4u.be) for reporting this issue.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-10492",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-25T17:03:29.760705Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-25T17:03:38.702Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/keycloak/keycloak",
              "defaultStatus": "unaffected",
              "packageName": "keycloak",
              "versions": [
                {
                  "lessThan": "26.0.6",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:24::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 24",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "24.0.9-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:24::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 24",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "24-18",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:24::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 24",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "24-18",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:24"
              ],
              "defaultStatus": "unaffected",
              "packageName": "org.keycloak/keycloak-quarkus-server",
              "product": "Red Hat build of Keycloak 24.0.9",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.0::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 26.0",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.0.6-2",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.0::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.0",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.0-5",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.0::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 26.0",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.0-6",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26"
              ],
              "defaultStatus": "unaffected",
              "packageName": "org.keycloak/keycloak-quarkus-server",
              "product": "Red Hat build of Keycloak 26.0.6",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
              "cpes": [
                "cpe:/a:redhat:jboss_enterprise_application_platform:8"
              ],
              "defaultStatus": "unaffected",
              "packageName": "org.keycloak/keycloak-quarkus-server",
              "product": "Red Hat JBoss Enterprise Application Platform 8",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
              "cpes": [
                "cpe:/a:redhat:jbosseapxp"
              ],
              "defaultStatus": "unaffected",
              "packageName": "org.keycloak/keycloak-quarkus-server",
              "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:red_hat_single_sign_on:7"
              ],
              "defaultStatus": "unknown",
              "packageName": "org.keycloak/keycloak-quarkus-server",
              "product": "Red Hat Single Sign-On 7",
              "vendor": "Red Hat"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Red Hat would like to thank Brahim Raddahi (is4u.be) for reporting this issue."
            }
          ],
          "datePublic": "2024-11-21T16:56:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was found in Keycloak. A user with high privileges could read sensitive information from a Vault file that is not within the expected context. This attacker must have previous high access to the Keycloak server in order to perform resource creation, for example, an LDAP provider configuration and set up a Vault read file, which will only inform whether that file exists or not."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Low"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 2.7,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-73",
                  "description": "External Control of File Name or Path",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-06T17:57:40.724Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2024:10175",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2024:10175"
            },
            {
              "name": "RHSA-2024:10176",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2024:10176"
            },
            {
              "name": "RHSA-2024:10177",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2024:10177"
            },
            {
              "name": "RHSA-2024:10178",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2024:10178"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2024-10492"
            },
            {
              "name": "RHBZ#2322447",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2322447"
            },
            {
              "url": "https://github.com/keycloak/keycloak/issues/35215"
            },
            {
              "url": "https://github.com/keycloak/keycloak/pull/35223"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-10-29T00:00:00.000Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2024-11-21T16:56:00.000Z",
              "value": "Made public."
            }
          ],
          "title": "Keycloak-quarkus-server: keycloak path trasversal",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-73: External Control of File Name or Path"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2024-10492",
        "datePublished": "2024-11-25T07:37:30.572Z",
        "dateReserved": "2024-10-29T13:07:47.731Z",
        "dateUpdated": "2026-05-06T17:57:40.724Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-10451 (GCVE-0-2024-10451)

    Vulnerability from nvd – Published: 2024-11-25 07:37 – Updated: 2025-11-11 16:08
    VLAI
    Title
    Org.keycloak:keycloak-quarkus-server: sensitive data exposure in keycloak build process
    Summary
    A flaw was found in Keycloak. This issue occurs because sensitive runtime values, such as passwords, may be captured during the Keycloak build process and embedded as default values in bytecode, leading to unintended information disclosure. In Keycloak 26, sensitive data specified directly in environment variables during the build process is also stored as a default values, making it accessible during runtime. Indirect usage of environment variables for SPI options and Quarkus properties is also vulnerable due to unconditional expansion by PropertyMapper logic, capturing sensitive data as default values in all Keycloak versions up to 26.0.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-798 - Use of Hard-coded Credentials
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2024:10175 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2024:10176 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2024:10177 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2024:10178 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/security/cve/CVE-2024-10451 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2322096 issue-trackingx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    Red Hat Red Hat build of Keycloak 24 Unaffected: 24.0.9-1 , < * (rpm)
        cpe:/a:redhat:build_keycloak:24::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 24 Unaffected: 24-18 , < * (rpm)
        cpe:/a:redhat:build_keycloak:24::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 24.0.9     cpe:/a:redhat:build_keycloak:24
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.0 Unaffected: 26.0.6-2 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.0::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.0 Unaffected: 26.0-5 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.0::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.0 Unaffected: 26.0-6 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.0::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.0.6     cpe:/a:redhat:build_keycloak:26
    Create a notification for this product.
    Red Hat Red Hat JBoss Enterprise Application Platform 8     cpe:/a:redhat:jboss_enterprise_application_platform:8
    Create a notification for this product.
    Red Hat Red Hat Single Sign-On 7     cpe:/a:redhat:red_hat_single_sign_on:7
    Create a notification for this product.
    Date Public
    2024-11-21 16:55
    Credits
    Red Hat would like to thank Steven Hawkins for reporting this issue.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-10451",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-25T16:00:10.921097Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-25T16:00:38.099Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:24::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 24",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "24.0.9-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:24::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 24",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "24-18",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:24::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 24",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "24-18",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:24"
              ],
              "defaultStatus": "unaffected",
              "packageName": "org.keycloak/keycloak-quarkus-server",
              "product": "Red Hat build of Keycloak 24.0.9",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.0::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 26.0",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.0.6-2",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.0::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.0",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.0-5",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.0::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 26.0",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.0-6",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26"
              ],
              "defaultStatus": "unaffected",
              "packageName": "org.keycloak/keycloak-quarkus-server",
              "product": "Red Hat build of Keycloak 26.0.6",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
              "cpes": [
                "cpe:/a:redhat:jboss_enterprise_application_platform:8"
              ],
              "defaultStatus": "unaffected",
              "packageName": "org.keycloak/keycloak-quarkus-server",
              "product": "Red Hat JBoss Enterprise Application Platform 8",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:red_hat_single_sign_on:7"
              ],
              "defaultStatus": "unknown",
              "packageName": "org.keycloak/keycloak-quarkus-server",
              "product": "Red Hat Single Sign-On 7",
              "vendor": "Red Hat"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Red Hat would like to thank Steven Hawkins for reporting this issue."
            }
          ],
          "datePublic": "2024-11-21T16:55:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in Keycloak. This issue occurs because sensitive runtime values, such as passwords, may be captured during the Keycloak build process and embedded as default values in bytecode, leading to unintended information disclosure. In Keycloak 26, sensitive data specified directly in environment variables during the build process is also stored as a default values, making it accessible during runtime. Indirect usage of environment variables for SPI options and Quarkus properties is also vulnerable due to unconditional expansion by PropertyMapper logic, capturing sensitive data as default values in all Keycloak versions up to 26.0.2."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Moderate"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-798",
                  "description": "Use of Hard-coded Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-11T16:08:35.556Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2024:10175",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2024:10175"
            },
            {
              "name": "RHSA-2024:10176",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2024:10176"
            },
            {
              "name": "RHSA-2024:10177",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2024:10177"
            },
            {
              "name": "RHSA-2024:10178",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2024:10178"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2024-10451"
            },
            {
              "name": "RHBZ#2322096",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2322096"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-10-28T07:27:41.800Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2024-11-21T16:55:00.000Z",
              "value": "Made public."
            }
          ],
          "title": "Org.keycloak:keycloak-quarkus-server: sensitive data exposure in keycloak build process",
          "x_redhatCweChain": "CWE-798: Use of Hard-coded Credentials"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2024-10451",
        "datePublished": "2024-11-25T07:37:05.161Z",
        "dateReserved": "2024-10-28T07:34:31.748Z",
        "dateUpdated": "2025-11-11T16:08:35.556Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-10270 (GCVE-0-2024-10270)

    Vulnerability from nvd – Published: 2024-11-25 07:37 – Updated: 2026-05-06 16:48
    VLAI
    Title
    Org.keycloak:keycloak-services: keycloak denial of service
    Summary
    A vulnerability was found in the Keycloak-services package. If untrusted data is passed to the SearchQueryUtils method, it could lead to a denial of service (DoS) scenario by exhausting system resources due to a Regex complexity.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1333 - Inefficient Regular Expression Complexity
    Assigner
    Impacted products
    Vendor Product Version
    Affected: 0 , < 24.0.9 (semver)
    Affected: 25.0.0 , < 26.0.6 (semver)
    Red Hat Red Hat build of Keycloak 24 Unaffected: 24.0.9-1 , < * (rpm)
        cpe:/a:redhat:build_keycloak:24::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 24 Unaffected: 24-18 , < * (rpm)
        cpe:/a:redhat:build_keycloak:24::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 24.0.9     cpe:/a:redhat:build_keycloak:24
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.0 Unaffected: 26.0.6-2 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.0::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.0 Unaffected: 26.0-5 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.0::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.0 Unaffected: 26.0-6 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.0::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.0.6     cpe:/a:redhat:build_keycloak:26
    Create a notification for this product.
    Red Hat Red Hat JBoss Enterprise Application Platform 8     cpe:/a:redhat:jboss_enterprise_application_platform:8
    Create a notification for this product.
    Red Hat Red Hat JBoss Enterprise Application Platform Expansion Pack     cpe:/a:redhat:jbosseapxp
    Create a notification for this product.
    Red Hat Red Hat Single Sign-On 7     cpe:/a:redhat:red_hat_single_sign_on:7
    Create a notification for this product.
    Date Public
    2024-11-21 16:54
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-10270",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-25T17:15:02.524794Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-25T17:15:57.082Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/keycloak/keycloak",
              "defaultStatus": "unaffected",
              "packageName": "keycloak",
              "versions": [
                {
                  "lessThan": "24.0.9",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "26.0.6",
                  "status": "affected",
                  "version": "25.0.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:24::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 24",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "24.0.9-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:24::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 24",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "24-18",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:24::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 24",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "24-18",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:24"
              ],
              "defaultStatus": "unaffected",
              "packageName": "org.keycloak/keycloak-services",
              "product": "Red Hat build of Keycloak 24.0.9",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.0::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 26.0",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.0.6-2",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.0::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.0",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.0-5",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.0::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 26.0",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.0-6",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26"
              ],
              "defaultStatus": "unaffected",
              "packageName": "org.keycloak/keycloak-services",
              "product": "Red Hat build of Keycloak 26.0.6",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
              "cpes": [
                "cpe:/a:redhat:jboss_enterprise_application_platform:8"
              ],
              "defaultStatus": "unaffected",
              "packageName": "org.keycloak/keycloak-services",
              "product": "Red Hat JBoss Enterprise Application Platform 8",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
              "cpes": [
                "cpe:/a:redhat:jbosseapxp"
              ],
              "defaultStatus": "unaffected",
              "packageName": "org.keycloak/keycloak-services",
              "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:red_hat_single_sign_on:7"
              ],
              "defaultStatus": "unknown",
              "packageName": "org.keycloak/keycloak-services",
              "product": "Red Hat Single Sign-On 7",
              "vendor": "Red Hat"
            }
          ],
          "datePublic": "2024-11-21T16:54:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was found in the Keycloak-services package. If untrusted data is passed to the SearchQueryUtils method, it could lead to a denial of service (DoS) scenario by exhausting system resources due to a Regex complexity."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Moderate"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1333",
                  "description": "Inefficient Regular Expression Complexity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-06T16:48:31.868Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2024:10175",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2024:10175"
            },
            {
              "name": "RHSA-2024:10176",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2024:10176"
            },
            {
              "name": "RHSA-2024:10177",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2024:10177"
            },
            {
              "name": "RHSA-2024:10178",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2024:10178"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2024-10270"
            },
            {
              "name": "RHBZ#2321214",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2321214"
            },
            {
              "url": "https://github.com/advisories/GHSA-wq8x-cg39-8mrr"
            },
            {
              "url": "https://github.com/keycloak/keycloak/commit/5d6c91f3309db468b0fe4834e88c3d25649f73e4"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-10-23T01:51:45.483Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2024-11-21T16:54:00.000Z",
              "value": "Made public."
            }
          ],
          "title": "Org.keycloak:keycloak-services: keycloak denial of service",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-1333: Inefficient Regular Expression Complexity"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2024-10270",
        "datePublished": "2024-11-25T07:37:04.542Z",
        "dateReserved": "2024-10-23T02:00:58.671Z",
        "dateUpdated": "2026-05-06T16:48:31.868Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-10492 (GCVE-0-2024-10492)

    Vulnerability from cvelistv5 – Published: 2024-11-25 07:37 – Updated: 2026-05-06 17:57
    VLAI
    Title
    Keycloak-quarkus-server: keycloak path trasversal
    Summary
    A vulnerability was found in Keycloak. A user with high privileges could read sensitive information from a Vault file that is not within the expected context. This attacker must have previous high access to the Keycloak server in order to perform resource creation, for example, an LDAP provider configuration and set up a Vault read file, which will only inform whether that file exists or not.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-73 - External Control of File Name or Path
    Assigner
    Impacted products
    Vendor Product Version
    Affected: 0 , < 26.0.6 (semver)
    Red Hat Red Hat build of Keycloak 24 Unaffected: 24.0.9-1 , < * (rpm)
        cpe:/a:redhat:build_keycloak:24::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 24 Unaffected: 24-18 , < * (rpm)
        cpe:/a:redhat:build_keycloak:24::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 24.0.9     cpe:/a:redhat:build_keycloak:24
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.0 Unaffected: 26.0.6-2 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.0::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.0 Unaffected: 26.0-5 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.0::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.0 Unaffected: 26.0-6 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.0::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.0.6     cpe:/a:redhat:build_keycloak:26
    Create a notification for this product.
    Red Hat Red Hat JBoss Enterprise Application Platform 8     cpe:/a:redhat:jboss_enterprise_application_platform:8
    Create a notification for this product.
    Red Hat Red Hat JBoss Enterprise Application Platform Expansion Pack     cpe:/a:redhat:jbosseapxp
    Create a notification for this product.
    Red Hat Red Hat Single Sign-On 7     cpe:/a:redhat:red_hat_single_sign_on:7
    Create a notification for this product.
    Date Public
    2024-11-21 16:56
    Credits
    Red Hat would like to thank Brahim Raddahi (is4u.be) for reporting this issue.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-10492",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-25T17:03:29.760705Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-25T17:03:38.702Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/keycloak/keycloak",
              "defaultStatus": "unaffected",
              "packageName": "keycloak",
              "versions": [
                {
                  "lessThan": "26.0.6",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:24::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 24",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "24.0.9-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:24::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 24",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "24-18",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:24::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 24",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "24-18",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:24"
              ],
              "defaultStatus": "unaffected",
              "packageName": "org.keycloak/keycloak-quarkus-server",
              "product": "Red Hat build of Keycloak 24.0.9",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.0::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 26.0",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.0.6-2",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.0::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.0",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.0-5",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.0::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 26.0",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.0-6",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26"
              ],
              "defaultStatus": "unaffected",
              "packageName": "org.keycloak/keycloak-quarkus-server",
              "product": "Red Hat build of Keycloak 26.0.6",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
              "cpes": [
                "cpe:/a:redhat:jboss_enterprise_application_platform:8"
              ],
              "defaultStatus": "unaffected",
              "packageName": "org.keycloak/keycloak-quarkus-server",
              "product": "Red Hat JBoss Enterprise Application Platform 8",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
              "cpes": [
                "cpe:/a:redhat:jbosseapxp"
              ],
              "defaultStatus": "unaffected",
              "packageName": "org.keycloak/keycloak-quarkus-server",
              "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:red_hat_single_sign_on:7"
              ],
              "defaultStatus": "unknown",
              "packageName": "org.keycloak/keycloak-quarkus-server",
              "product": "Red Hat Single Sign-On 7",
              "vendor": "Red Hat"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Red Hat would like to thank Brahim Raddahi (is4u.be) for reporting this issue."
            }
          ],
          "datePublic": "2024-11-21T16:56:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was found in Keycloak. A user with high privileges could read sensitive information from a Vault file that is not within the expected context. This attacker must have previous high access to the Keycloak server in order to perform resource creation, for example, an LDAP provider configuration and set up a Vault read file, which will only inform whether that file exists or not."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Low"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 2.7,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-73",
                  "description": "External Control of File Name or Path",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-06T17:57:40.724Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2024:10175",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2024:10175"
            },
            {
              "name": "RHSA-2024:10176",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2024:10176"
            },
            {
              "name": "RHSA-2024:10177",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2024:10177"
            },
            {
              "name": "RHSA-2024:10178",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2024:10178"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2024-10492"
            },
            {
              "name": "RHBZ#2322447",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2322447"
            },
            {
              "url": "https://github.com/keycloak/keycloak/issues/35215"
            },
            {
              "url": "https://github.com/keycloak/keycloak/pull/35223"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-10-29T00:00:00.000Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2024-11-21T16:56:00.000Z",
              "value": "Made public."
            }
          ],
          "title": "Keycloak-quarkus-server: keycloak path trasversal",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-73: External Control of File Name or Path"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2024-10492",
        "datePublished": "2024-11-25T07:37:30.572Z",
        "dateReserved": "2024-10-29T13:07:47.731Z",
        "dateUpdated": "2026-05-06T17:57:40.724Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-10451 (GCVE-0-2024-10451)

    Vulnerability from cvelistv5 – Published: 2024-11-25 07:37 – Updated: 2025-11-11 16:08
    VLAI
    Title
    Org.keycloak:keycloak-quarkus-server: sensitive data exposure in keycloak build process
    Summary
    A flaw was found in Keycloak. This issue occurs because sensitive runtime values, such as passwords, may be captured during the Keycloak build process and embedded as default values in bytecode, leading to unintended information disclosure. In Keycloak 26, sensitive data specified directly in environment variables during the build process is also stored as a default values, making it accessible during runtime. Indirect usage of environment variables for SPI options and Quarkus properties is also vulnerable due to unconditional expansion by PropertyMapper logic, capturing sensitive data as default values in all Keycloak versions up to 26.0.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-798 - Use of Hard-coded Credentials
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2024:10175 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2024:10176 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2024:10177 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2024:10178 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/security/cve/CVE-2024-10451 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2322096 issue-trackingx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    Red Hat Red Hat build of Keycloak 24 Unaffected: 24.0.9-1 , < * (rpm)
        cpe:/a:redhat:build_keycloak:24::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 24 Unaffected: 24-18 , < * (rpm)
        cpe:/a:redhat:build_keycloak:24::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 24.0.9     cpe:/a:redhat:build_keycloak:24
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.0 Unaffected: 26.0.6-2 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.0::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.0 Unaffected: 26.0-5 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.0::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.0 Unaffected: 26.0-6 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.0::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.0.6     cpe:/a:redhat:build_keycloak:26
    Create a notification for this product.
    Red Hat Red Hat JBoss Enterprise Application Platform 8     cpe:/a:redhat:jboss_enterprise_application_platform:8
    Create a notification for this product.
    Red Hat Red Hat Single Sign-On 7     cpe:/a:redhat:red_hat_single_sign_on:7
    Create a notification for this product.
    Date Public
    2024-11-21 16:55
    Credits
    Red Hat would like to thank Steven Hawkins for reporting this issue.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-10451",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-25T16:00:10.921097Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-25T16:00:38.099Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:24::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 24",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "24.0.9-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:24::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 24",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "24-18",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:24::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 24",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "24-18",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:24"
              ],
              "defaultStatus": "unaffected",
              "packageName": "org.keycloak/keycloak-quarkus-server",
              "product": "Red Hat build of Keycloak 24.0.9",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.0::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 26.0",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.0.6-2",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.0::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.0",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.0-5",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.0::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 26.0",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.0-6",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26"
              ],
              "defaultStatus": "unaffected",
              "packageName": "org.keycloak/keycloak-quarkus-server",
              "product": "Red Hat build of Keycloak 26.0.6",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
              "cpes": [
                "cpe:/a:redhat:jboss_enterprise_application_platform:8"
              ],
              "defaultStatus": "unaffected",
              "packageName": "org.keycloak/keycloak-quarkus-server",
              "product": "Red Hat JBoss Enterprise Application Platform 8",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:red_hat_single_sign_on:7"
              ],
              "defaultStatus": "unknown",
              "packageName": "org.keycloak/keycloak-quarkus-server",
              "product": "Red Hat Single Sign-On 7",
              "vendor": "Red Hat"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Red Hat would like to thank Steven Hawkins for reporting this issue."
            }
          ],
          "datePublic": "2024-11-21T16:55:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in Keycloak. This issue occurs because sensitive runtime values, such as passwords, may be captured during the Keycloak build process and embedded as default values in bytecode, leading to unintended information disclosure. In Keycloak 26, sensitive data specified directly in environment variables during the build process is also stored as a default values, making it accessible during runtime. Indirect usage of environment variables for SPI options and Quarkus properties is also vulnerable due to unconditional expansion by PropertyMapper logic, capturing sensitive data as default values in all Keycloak versions up to 26.0.2."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Moderate"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-798",
                  "description": "Use of Hard-coded Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-11T16:08:35.556Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2024:10175",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2024:10175"
            },
            {
              "name": "RHSA-2024:10176",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2024:10176"
            },
            {
              "name": "RHSA-2024:10177",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2024:10177"
            },
            {
              "name": "RHSA-2024:10178",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2024:10178"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2024-10451"
            },
            {
              "name": "RHBZ#2322096",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2322096"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-10-28T07:27:41.800Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2024-11-21T16:55:00.000Z",
              "value": "Made public."
            }
          ],
          "title": "Org.keycloak:keycloak-quarkus-server: sensitive data exposure in keycloak build process",
          "x_redhatCweChain": "CWE-798: Use of Hard-coded Credentials"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2024-10451",
        "datePublished": "2024-11-25T07:37:05.161Z",
        "dateReserved": "2024-10-28T07:34:31.748Z",
        "dateUpdated": "2025-11-11T16:08:35.556Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-10270 (GCVE-0-2024-10270)

    Vulnerability from cvelistv5 – Published: 2024-11-25 07:37 – Updated: 2026-05-06 16:48
    VLAI
    Title
    Org.keycloak:keycloak-services: keycloak denial of service
    Summary
    A vulnerability was found in the Keycloak-services package. If untrusted data is passed to the SearchQueryUtils method, it could lead to a denial of service (DoS) scenario by exhausting system resources due to a Regex complexity.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1333 - Inefficient Regular Expression Complexity
    Assigner
    Impacted products
    Vendor Product Version
    Affected: 0 , < 24.0.9 (semver)
    Affected: 25.0.0 , < 26.0.6 (semver)
    Red Hat Red Hat build of Keycloak 24 Unaffected: 24.0.9-1 , < * (rpm)
        cpe:/a:redhat:build_keycloak:24::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 24 Unaffected: 24-18 , < * (rpm)
        cpe:/a:redhat:build_keycloak:24::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 24.0.9     cpe:/a:redhat:build_keycloak:24
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.0 Unaffected: 26.0.6-2 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.0::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.0 Unaffected: 26.0-5 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.0::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.0 Unaffected: 26.0-6 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.0::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.0.6     cpe:/a:redhat:build_keycloak:26
    Create a notification for this product.
    Red Hat Red Hat JBoss Enterprise Application Platform 8     cpe:/a:redhat:jboss_enterprise_application_platform:8
    Create a notification for this product.
    Red Hat Red Hat JBoss Enterprise Application Platform Expansion Pack     cpe:/a:redhat:jbosseapxp
    Create a notification for this product.
    Red Hat Red Hat Single Sign-On 7     cpe:/a:redhat:red_hat_single_sign_on:7
    Create a notification for this product.
    Date Public
    2024-11-21 16:54
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-10270",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-25T17:15:02.524794Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-25T17:15:57.082Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/keycloak/keycloak",
              "defaultStatus": "unaffected",
              "packageName": "keycloak",
              "versions": [
                {
                  "lessThan": "24.0.9",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "26.0.6",
                  "status": "affected",
                  "version": "25.0.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:24::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 24",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "24.0.9-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:24::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 24",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "24-18",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:24::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 24",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "24-18",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:24"
              ],
              "defaultStatus": "unaffected",
              "packageName": "org.keycloak/keycloak-services",
              "product": "Red Hat build of Keycloak 24.0.9",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.0::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 26.0",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.0.6-2",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.0::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.0",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.0-5",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.0::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 26.0",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.0-6",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26"
              ],
              "defaultStatus": "unaffected",
              "packageName": "org.keycloak/keycloak-services",
              "product": "Red Hat build of Keycloak 26.0.6",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
              "cpes": [
                "cpe:/a:redhat:jboss_enterprise_application_platform:8"
              ],
              "defaultStatus": "unaffected",
              "packageName": "org.keycloak/keycloak-services",
              "product": "Red Hat JBoss Enterprise Application Platform 8",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
              "cpes": [
                "cpe:/a:redhat:jbosseapxp"
              ],
              "defaultStatus": "unaffected",
              "packageName": "org.keycloak/keycloak-services",
              "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:red_hat_single_sign_on:7"
              ],
              "defaultStatus": "unknown",
              "packageName": "org.keycloak/keycloak-services",
              "product": "Red Hat Single Sign-On 7",
              "vendor": "Red Hat"
            }
          ],
          "datePublic": "2024-11-21T16:54:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was found in the Keycloak-services package. If untrusted data is passed to the SearchQueryUtils method, it could lead to a denial of service (DoS) scenario by exhausting system resources due to a Regex complexity."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Moderate"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1333",
                  "description": "Inefficient Regular Expression Complexity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-06T16:48:31.868Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2024:10175",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2024:10175"
            },
            {
              "name": "RHSA-2024:10176",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2024:10176"
            },
            {
              "name": "RHSA-2024:10177",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2024:10177"
            },
            {
              "name": "RHSA-2024:10178",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2024:10178"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2024-10270"
            },
            {
              "name": "RHBZ#2321214",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2321214"
            },
            {
              "url": "https://github.com/advisories/GHSA-wq8x-cg39-8mrr"
            },
            {
              "url": "https://github.com/keycloak/keycloak/commit/5d6c91f3309db468b0fe4834e88c3d25649f73e4"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-10-23T01:51:45.483Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2024-11-21T16:54:00.000Z",
              "value": "Made public."
            }
          ],
          "title": "Org.keycloak:keycloak-services: keycloak denial of service",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-1333: Inefficient Regular Expression Complexity"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2024-10270",
        "datePublished": "2024-11-25T07:37:04.542Z",
        "dateReserved": "2024-10-23T02:00:58.671Z",
        "dateUpdated": "2026-05-06T16:48:31.868Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-9666 (GCVE-0-2024-9666)

    Vulnerability from cvelistv5 – Published: 2024-11-25 07:29 – Updated: 2025-12-22 06:09
    VLAI
    Title
    Org.keycloak/keycloak-quarkus-server: keycloak proxy header handling denial-of-service (dos) vulnerability
    Summary
    A vulnerability was found in the Keycloak Server. The Keycloak Server is vulnerable to a denial of service (DoS) attack due to improper handling of proxy headers. When Keycloak is configured to accept incoming proxy headers, it may accept non-IP values, such as obfuscated identifiers, without proper validation. This issue can lead to costly DNS resolution operations, which an attacker could exploit to tie up IO threads and potentially cause a denial of service. The attacker must have access to send requests to a Keycloak instance that is configured to accept proxy headers, specifically when reverse proxies do not overwrite incoming headers, and Keycloak is configured to trust these headers.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2024:10175 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2024:10176 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2024:10177 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2024:10178 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/security/cve/CVE-2024-9666 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2317440 issue-trackingx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    Affected: 0 , < 24.0.9 (semver)
    Affected: 25.0.0 , < 26.0.6 (semver)
    Red Hat Red Hat build of Keycloak 24 Unaffected: 24.0.9-1 , < * (rpm)
        cpe:/a:redhat:build_keycloak:24::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 24 Unaffected: 24-18 , < * (rpm)
        cpe:/a:redhat:build_keycloak:24::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 24.0.9     cpe:/a:redhat:build_keycloak:24
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.0 Unaffected: 26.0.6-2 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.0::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.0 Unaffected: 26.0-5 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.0::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.0 Unaffected: 26.0-6 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.0::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.0.6     cpe:/a:redhat:build_keycloak:26
    Create a notification for this product.
    Red Hat Red Hat JBoss Enterprise Application Platform 8     cpe:/a:redhat:jboss_enterprise_application_platform:8
    Create a notification for this product.
    Date Public
    2024-11-21 16:45
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-9666",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-25T17:14:55.721958Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-25T17:15:56.948Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/keycloak/keycloak",
              "defaultStatus": "unaffected",
              "packageName": "keycloak",
              "versions": [
                {
                  "lessThan": "24.0.9",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "26.0.6",
                  "status": "affected",
                  "version": "25.0.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:24::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 24",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "24.0.9-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:24::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 24",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "24-18",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:24::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 24",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "24-18",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:24"
              ],
              "defaultStatus": "unaffected",
              "packageName": "org.keycloak/keycloak-quarkus-server",
              "product": "Red Hat build of Keycloak 24.0.9",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.0::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 26.0",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.0.6-2",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.0::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.0",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.0-5",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.0::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 26.0",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.0-6",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26"
              ],
              "defaultStatus": "unaffected",
              "packageName": "org.keycloak/keycloak-quarkus-server",
              "product": "Red Hat build of Keycloak 26.0.6",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
              "cpes": [
                "cpe:/a:redhat:jboss_enterprise_application_platform:8"
              ],
              "defaultStatus": "unaffected",
              "packageName": "org.keycloak/keycloak-quarkus-server",
              "product": "Red Hat JBoss Enterprise Application Platform 8",
              "vendor": "Red Hat"
            }
          ],
          "datePublic": "2024-11-21T16:45:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was found in the Keycloak Server. The Keycloak Server is vulnerable to a denial of service (DoS) attack due to improper handling of proxy headers. When Keycloak is configured to accept incoming proxy headers, it may accept non-IP values, such as obfuscated identifiers, without proper validation. This issue can lead to costly DNS resolution operations, which an attacker could exploit to tie up IO threads and potentially cause a denial of service.\nThe attacker must have access to send requests to a Keycloak instance that is configured to accept proxy headers, specifically when reverse proxies do not overwrite incoming headers, and Keycloak is configured to trust these headers."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Low"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-444",
                  "description": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-22T06:09:19.514Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2024:10175",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2024:10175"
            },
            {
              "name": "RHSA-2024:10176",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2024:10176"
            },
            {
              "name": "RHSA-2024:10177",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2024:10177"
            },
            {
              "name": "RHSA-2024:10178",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2024:10178"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2024-9666"
            },
            {
              "name": "RHBZ#2317440",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2317440"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-10-08T22:25:08.077Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2024-11-21T16:45:00.000Z",
              "value": "Made public."
            }
          ],
          "title": "Org.keycloak/keycloak-quarkus-server: keycloak proxy header handling denial-of-service (dos) vulnerability",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2024-9666",
        "datePublished": "2024-11-25T07:29:52.073Z",
        "dateReserved": "2024-10-08T22:36:23.598Z",
        "dateUpdated": "2025-12-22T06:09:19.514Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }