CVE-2021-3856

2022-08-2616:15:09

CWE-552

CWE-22

[email protected]

web.nvd.nist.gov

cve

2021

3856

classloadertheme

classpaththemeresourceproviderfactory

resource

file

security vulnerability

nvd

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

4.5 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

34.9%

JSON

ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader. By sending requests for theme resources with a relative path from an external HTTP client, the client will receive the content of random files if available.

Affected configurations

Vulners

NVD

Node

redhatkeycloakRange≤15.1.0

VendorProductVersionCPE
redhatkeycloak*cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
redhat	keycloak	*	cpe:2.3:a:redhat:keycloak::::::::

CNA Affected

[
  {
    "product": "keycloak",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "Fixed in 15.1.0"
      }
    ]
  }
]