CVE-2024-10973
MEDIUM5.7EPSS 0.03%Keycloak on Quarkus CLI option for encrypted JGroups ignored
Published: 2/5/2025Modified: 2/5/2025
Also known as:GHSA-g6qq-c9f9-2772
Description
The env option `KC_CACHE_EMBEDDED_MTLS_ENABLED` does not work and the jgroups replication configuration is always used in plain. This option worked before in 24 and 22. More info in public issue https://github.com/keycloak/keycloak/issues/34644.
Affected packages (1)
- Maven/org.keycloak:keycloak-quarkus-server>= 25.0.0, < 26.0.6
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.7 | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
References (11)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-10973
- PATCHhttps://github.com/keycloak/keycloak
- WEBhttps://access.redhat.com/security/cve/CVE-2024-10973
- WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=2324361
- WEBhttps://github.com/keycloak/keycloak/commit/071032a108bd9e9fce9e66d00c36d56bd4b334df
- WEBhttps://github.com/keycloak/keycloak/commit/36defd5f33b2da5d705f179bbaa21c28b13a9996
- WEBhttps://github.com/keycloak/keycloak/issues/28750
- WEBhttps://github.com/keycloak/keycloak/issues/34644
- WEBhttps://github.com/keycloak/keycloak/pull/28756
- WEBhttps://github.com/keycloak/keycloak/pull/34668
- WEBhttps://github.com/keycloak/keycloak/security/advisories/GHSA-g6qq-c9f9-2772