CVE-2024-10492
Keycloak Path Traversal Vulnerability Due to External Control of File Name or Path
2.7
LOW
CVSS 3.1
EPSS 0.17%
Description
A vulnerability was found in Keycloak. A user with high privileges could read sensitive information from a Vault file that is not within the expected context. This attacker must have previous high access to the Keycloak server in order to perform resource creation, for example, an LDAP provider configuration and set up a Vault read file, which will only inform whether that file exists or not.
How to fix CVE-2024-10492
To remediate CVE-2024-10492, upgrade the affected package to a fixed version below.
- —upgrade to 26.0.6 or later
Is CVE-2024-10492 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 26.0.6
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | LOW2.7 | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N |