A vulnerability was found in Keycloak. Deployments of Keycloak with a reverse proxy not using pass-through termination of TLS, with mTLS enabled, are affected. This issue may allow an attacker on the local network to authenticate as any user or client that leverages mTLS as the authentication mechanism.
History

Fri, 22 Nov 2024 14:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in Keycloak. Deployments of Keycloak with a reverse proxy not using pass-through termination of TLS, with mTLS enabled, are affected. This issue may allow an attacker on the local network to authenticate as any user or client that leverages mTLS as the authentication mechanism.
Title keycloak-core: mTLS passthrough
First Time appeared Redhat
Redhat build Keycloak
Weaknesses CWE-295
CPEs cpe:/a:redhat:build_keycloak:24
cpe:/a:redhat:build_keycloak:24::el9
cpe:/a:redhat:build_keycloak:26
cpe:/a:redhat:build_keycloak:26.0::el9
Vendors & Products Redhat
Redhat build Keycloak
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

threat_severity

Important


cve-icon MITRE

No data.

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2024-11-21T16:45:00Z

Links: CVE-2024-10039 - Bugzilla