Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2024-10973

5.7 MEDIUM

CVSS version: 3.1
Attack vector (AV): ADJACENT_NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): NONE
Availability impact (A): NONE

created 1 year, 3 months ago

Keycloak: cli option for encrypted jgroups ignored

A vulnerability was found in Keycloak. The environment option `KC_CACHE_EMBEDDED_MTLS_ENABLED` does not work and the JGroups replication configuration is always used in plain text which can allow an attacker that has access to adjacent networks related to JGroups to read sensitive information.

References

https://access.redhat.com/security/cve/CVE-2024-10973 vdb-entryx_refsource_REDHAT
RHBZ#2324361 x_refsource_REDHATissue-tracking
https://access.redhat.com/security/cve/CVE-2024-10973 vdb-entryx_refsource_REDHAT
RHBZ#2324361 x_refsource_REDHATissue-tracking
https://access.redhat.com/security/cve/CVE-2024-10973 vdb-entryx_refsource_REDHAT
RHBZ#2324361 x_refsource_REDHATissue-tracking
https://access.redhat.com/security/cve/CVE-2024-10973 vdb-entryx_refsource_REDHAT
RHBZ#2324361 x_refsource_REDHATissue-tracking
https://access.redhat.com/security/cve/CVE-2024-10973 vdb-entryx_refsource_REDHAT
RHBZ#2324361 x_refsource_REDHATissue-tracking
https://access.redhat.com/security/cve/CVE-2024-10973 vdb-entryx_refsource_REDHAT
RHBZ#2324361 x_refsource_REDHATissue-tracking

Affected products

keycloak

*
<25.0
<23.0

org.keycloak/keycloak-quarkus-server

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

nixos-unstable 26.0.6
- nixpkgs-unstable 26.0.6
- nixos-unstable-small 26.0.7

pkgs.terraform-providers.keycloak

None

nixos-unstable 4.4.0
- nixpkgs-unstable 4.4.0
- nixos-unstable-small 4.4.0

pkgs.python311Packages.python-keycloak

Provides access to the Keycloak API

nixos-unstable 4.0.0
- nixpkgs-unstable 4.0.0
- nixos-unstable-small 4.0.0

pkgs.python312Packages.python-keycloak

Provides access to the Keycloak API

nixos-unstable 4.0.0
- nixpkgs-unstable 4.0.0
- nixos-unstable-small 4.0.0

Package maintainers

@talyz Kim Lindberger <kim.lindberger@gmail.com>
@NickCao Nick Cao <nickcao@nichi.co>
@ngerstle Nicholas Gerstle <ngerstle@gmail.com>