CVE-2024-10492
Keycloak-quarkus-server: keycloak path trasversal
CVSS Score
2.7
EPSS Score
0.0%
EPSS Percentile
0th
A vulnerability was found in Keycloak. A user with high privileges could read sensitive information from a Vault file that is not within the expected context. This attacker must have previous high access to the Keycloak server in order to perform resource creation, for example, an LDAP provider configuration and set up a Vault read file, which will only inform whether that file exists or not.
| CWE | CWE-73 |
| Published | Nov 25, 2024 |
| Last Updated | Nov 11, 2025 |
Stay Ahead of the Next One
Get instant alerts for
Be the first to know when new low vulnerabilities are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N Affected Versions
Red Hat / Red Hat build of Keycloak 24
All versions affected Red Hat / Red Hat build of Keycloak 24
All versions affected Red Hat / Red Hat build of Keycloak 24
All versions affected Red Hat / Red Hat build of Keycloak 24.0.9
All versions affected Red Hat / Red Hat build of Keycloak 26.0
All versions affected Red Hat / Red Hat build of Keycloak 26.0
All versions affected Red Hat / Red Hat build of Keycloak 26.0
All versions affected Red Hat / Red Hat build of Keycloak 26.0.6
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 8
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform Expansion Pack
All versions affected Red Hat / Red Hat Single Sign-On 7
All versions affected References
access.redhat.com: https://access.redhat.com/errata/RHSA-2024:10175 access.redhat.com: https://access.redhat.com/errata/RHSA-2024:10176 access.redhat.com: https://access.redhat.com/errata/RHSA-2024:10177 access.redhat.com: https://access.redhat.com/errata/RHSA-2024:10178 access.redhat.com: https://access.redhat.com/security/cve/CVE-2024-10492 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2322447
Credits
Red Hat would like to thank Brahim Raddahi (is4u.be) for reporting this issue.