CVE-2024-10451
📋 TL;DR
This vulnerability in Keycloak allows sensitive runtime values like passwords to be captured during the build process and embedded as default values in bytecode, leading to information disclosure. Attackers could potentially access these embedded secrets during runtime. All Keycloak versions up to 26.0.2 are affected.
💻 Affected Systems
- Keycloak
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain access to embedded sensitive credentials (passwords, tokens, keys) leading to full system compromise, data breaches, and lateral movement within the environment.
Likely Case
Unauthorized access to sensitive configuration data and credentials stored in bytecode, potentially enabling privilege escalation or further attacks.
If Mitigated
Limited exposure with proper access controls, but embedded secrets remain in bytecode creating persistent risk.
🎯 Exploit Status
Exploitation requires access to runtime environment and knowledge of how to extract embedded values from bytecode.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Keycloak 26.0.3 and later
Vendor Advisory: https://access.redhat.com/security/cve/CVE-2024-10451
Restart Required: Yes
Instructions:
1. Upgrade to Keycloak 26.0.3 or later. 2. Rebuild any custom Keycloak distributions. 3. Restart Keycloak services. 4. Rotate any potentially exposed credentials.
🔧 Temporary Workarounds
Avoid sensitive data in build environment
allDo not pass sensitive values directly as environment variables during Keycloak build process
Use external configuration
allStore sensitive configuration in external secure stores rather than embedding during build
🧯 If You Can't Patch
- Rotate all credentials that may have been exposed during build process
- Implement strict access controls and monitoring on Keycloak runtime environments
🔍 How to Verify
Check if Vulnerable:
Check Keycloak version: if version is 26.0.2 or earlier, system is vulnerable. Review build process for sensitive environment variable usage.Check Version:
keycloak.sh --version or check Keycloak admin console version informationVerify Fix Applied:
Confirm Keycloak version is 26.0.3 or later. Verify no sensitive data is embedded in bytecode by checking configuration sources.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to configuration endpoints
- Attempts to extract runtime configuration data
Network Indicators:
- Suspicious requests to configuration-related API endpoints
SIEM Query:
source="keycloak" AND (event_type="CONFIG_ACCESS" OR uri_path="/admin/realms/*/config")🔗 References
- https://access.redhat.com/errata/RHSA-2024:10175
- https://access.redhat.com/errata/RHSA-2024:10176
- https://access.redhat.com/errata/RHSA-2024:10177
- https://access.redhat.com/errata/RHSA-2024:10178
- https://access.redhat.com/security/cve/CVE-2024-10451
- https://bugzilla.redhat.com/show_bug.cgi?id=2322096
