Lucene search

GitHub Advisory DatabaseGHSA-3W4V-RVC4-2XPW

HistoryAug 27, 2022 - 12:00 a.m.

Keycloak has Files or Directories Accessible to External Parties

2022-08-2700:00:45

CWE-22

CWE-552

GitHub Advisory Database

github.com

keycloak

external parties

files.

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

34.9%

JSON

ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader. By sending requests for theme resources with a relative path from an external HTTP client, the client will receive the content of random files if available.

Affected configurations

Vulners

Node

org.keycloak\keycloakMatchcore

CPENameOperatorVersion
org.keycloak:keycloak-corelt15.1.0

CPE	Name	Operator	Version
	org.keycloak:keycloak-core	lt	15.1.0

References

access.redhat.com/security/cve/CVE-2021-3856

bugzilla.redhat.com/show_bug.cgi?id=2010164

github.com/advisories/GHSA-3w4v-rvc4-2xpw

github.com/keycloak/keycloak/commit/73f0474008e1bebd0733e62a22aceda9e5de6743

github.com/keycloak/keycloak/pull/8588

issues.redhat.com/browse/KEYCLOAK-19422

nvd.nist.gov/vuln/detail/CVE-2021-3856

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

34.9%

JSON

Related for GHSA-3W4V-RVC4-2XPW