GoogleOSV:GHSA-3W4V-RVC4-2XPWKeycloak has Files or Directories Accessible to External Parties
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
0.001 Low
EPSS
Percentile
34.9%
ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader. By sending requests for theme resources with a relative path from an external HTTP client, the client will receive the content of random files if available.
References
access.redhat.com/security/cve/CVE-2021-3856
bugzilla.redhat.com/show_bug.cgi?id=2010164
github.com/keycloak/keycloak
github.com/keycloak/keycloak/commit/73f0474008e1bebd0733e62a22aceda9e5de6743
github.com/keycloak/keycloak/pull/8588
issues.redhat.com/browse/KEYCLOAK-19422
nvd.nist.gov/vuln/detail/CVE-2021-3856
Related
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
0.001 Low
EPSS
Percentile
34.9%