CVE-2024-10039 – org.keycloak:keycloak-core

Package

Manager: maven
Name: org.keycloak:keycloak-core
Vulnerable Version: >=0 <26.0.6

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Keycloak mTLS Authentication Bypass via Reverse Proxy TLS Termination A vulnerability was found in Keycloak. Deployments of Keycloak with a reverse proxy not using pass-through termination of TLS, with mTLS enabled, are affected. This issue may allow an attacker on the local network to authenticate as any user or client that leverages mTLS as the authentication mechanism.

Metadata

Created: 2024-11-25T19:40:46Z
Modified: 2025-01-30T17:47:40Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-93ww-43rr-79v3/GHSA-93ww-43rr-79v3.json
CWE IDs: ["CWE-295"]
Alternative ID: GHSA-93ww-43rr-79v3
Finding: F163
Auto approve: 1