CVE-2024-10039 - Vulnerability Details

Vendors	Products
Redhat	Build Keycloak

Package	CPE	Advisory	Released Date
Red Hat build of Keycloak 24
rhbk/keycloak-operator-bundle:24.0.9-1	cpe:/a:redhat:build_keycloak:24::el9	RHSA-2024:10175	2024-11-21T00:00:00Z
rhbk/keycloak-rhel9:24-18	cpe:/a:redhat:build_keycloak:24::el9	RHSA-2024:10175	2024-11-21T00:00:00Z
rhbk/keycloak-rhel9-operator:24-18	cpe:/a:redhat:build_keycloak:24::el9	RHSA-2024:10175	2024-11-21T00:00:00Z
Red Hat build of Keycloak 24.0.9
org.keycloak/keycloak-core	cpe:/a:redhat:build_keycloak:24	RHSA-2024:10176	2024-11-21T00:00:00Z
Red Hat build of Keycloak 26.0
rhbk/keycloak-operator-bundle:26.0.6-2	cpe:/a:redhat:build_keycloak:26.0::el9	RHSA-2024:10177	2024-11-21T00:00:00Z
rhbk/keycloak-rhel9:26.0-5	cpe:/a:redhat:build_keycloak:26.0::el9	RHSA-2024:10177	2024-11-21T00:00:00Z
rhbk/keycloak-rhel9-operator:26.0-6	cpe:/a:redhat:build_keycloak:26.0::el9	RHSA-2024:10177	2024-11-21T00:00:00Z
Red Hat build of Keycloak 26.0.6
org.keycloak/keycloak-core	cpe:/a:redhat:build_keycloak:26	RHSA-2024:10178	2024-11-21T00:00:00Z

Link	Providers
https://nvd.nist.gov/vuln/detail/CVE-2024-10039
https://www.cve.org/CVERecord?id=CVE-2024-10039

Type	Values Removed	Values Added
Description		A vulnerability was found in Keycloak. Deployments of Keycloak with a reverse proxy not using pass-through termination of TLS, with mTLS enabled, are affected. This issue may allow an attacker on the local network to authenticate as any user or client that leverages mTLS as the authentication mechanism.
Title		keycloak-core: mTLS passthrough
First Time appeared		Redhat Redhat build Keycloak
Weaknesses		CWE-295
CPEs		cpe:/a:redhat:build_keycloak:24 cpe:/a:redhat:build_keycloak:24::el9 cpe:/a:redhat:build_keycloak:26 cpe:/a:redhat:build_keycloak:26.0::el9
Vendors & Products		Redhat Redhat build Keycloak
References		https://nvd.nist.gov/vuln/detail/CVE-2024-10039 https://www.cve.org/CVERecord?id=CVE-2024-10039
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}` threat_severity `Important`

Show plain JSON

{"acknowledgement": "This issue was discovered by Alexander Schwartz (Red Hat).", "affected_release": [{"advisory": "RHSA-2024:10175", "cpe": "cpe:/a:redhat:build_keycloak:24::el9", "package": "rhbk/keycloak-operator-bundle:24.0.9-1", "product_name": "Red Hat build of Keycloak 24", "release_date": "2024-11-21T00:00:00Z"}, {"advisory": "RHSA-2024:10175", "cpe": "cpe:/a:redhat:build_keycloak:24::el9", "package": "rhbk/keycloak-rhel9:24-18", "product_name": "Red Hat build of Keycloak 24", "release_date": "2024-11-21T00:00:00Z"}, {"advisory": "RHSA-2024:10175", "cpe": "cpe:/a:redhat:build_keycloak:24::el9", "package": "rhbk/keycloak-rhel9-operator:24-18", "product_name": "Red Hat build of Keycloak 24", "release_date": "2024-11-21T00:00:00Z"}, {"advisory": "RHSA-2024:10176", "cpe": "cpe:/a:redhat:build_keycloak:24", "package": "org.keycloak/keycloak-core", "product_name": "Red Hat build of Keycloak 24.0.9", "release_date": "2024-11-21T00:00:00Z"}, {"advisory": "RHSA-2024:10177", "cpe": "cpe:/a:redhat:build_keycloak:26.0::el9", "package": "rhbk/keycloak-operator-bundle:26.0.6-2", "product_name": "Red Hat build of Keycloak 26.0", "release_date": "2024-11-21T00:00:00Z"}, {"advisory": "RHSA-2024:10177", "cpe": "cpe:/a:redhat:build_keycloak:26.0::el9", "package": "rhbk/keycloak-rhel9:26.0-5", "product_name": "Red Hat build of Keycloak 26.0", "release_date": "2024-11-21T00:00:00Z"}, {"advisory": "RHSA-2024:10177", "cpe": "cpe:/a:redhat:build_keycloak:26.0::el9", "package": "rhbk/keycloak-rhel9-operator:26.0-6", "product_name": "Red Hat build of Keycloak 26.0", "release_date": "2024-11-21T00:00:00Z"}, {"advisory": "RHSA-2024:10178", "cpe": "cpe:/a:redhat:build_keycloak:26", "package": "org.keycloak/keycloak-core", "product_name": "Red Hat build of Keycloak 26.0.6", "release_date": "2024-11-21T00:00:00Z"}], "bugzilla": {"description": "keycloak-core: mTLS passthrough", "id": "2319217", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2319217"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "status": "verified"}, "cwe": "CWE-295", "details": ["A vulnerability was found in Keycloak. Deployments of Keycloak with a reverse proxy not using pass-through termination of TLS, with mTLS enabled, are affected. This issue may allow an attacker on the local network to authenticate as any user or client that leverages mTLS as the authentication mechanism."], "name": "CVE-2024-10039", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "org.keycloak/keycloak-core", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Affected", "package_name": "org.keycloak/keycloak-core", "product_name": "Red Hat Single Sign-On 7"}], "public_date": "2024-11-21T16:45:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-10039\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-10039"], "statement": "Red Hat Enterprise Application Platform does not ship the Keycloak server code and thus is not affected by this vulnerability.", "threat_severity": "Important"}

{

acknowledgement : This issue was discovered by Alexander Schwartz (Red Hat). (string)

affected_release : [ »

0 : { »

advisory : RHSA-2024:10175 (string)

cpe : cpe:/a:redhat:build_keycloak:24::el9 (string)

package : rhbk/keycloak-operator-bundle:24.0.9-1 (string)

product_name : Red Hat build of Keycloak 24 (string)

release_date : 2024-11-21T00:00:00Z (string)

}

1 : { »

advisory : RHSA-2024:10175 (string)

cpe : cpe:/a:redhat:build_keycloak:24::el9 (string)

package : rhbk/keycloak-rhel9:24-18 (string)

product_name : Red Hat build of Keycloak 24 (string)

release_date : 2024-11-21T00:00:00Z (string)

}

2 : { »

advisory : RHSA-2024:10175 (string)

cpe : cpe:/a:redhat:build_keycloak:24::el9 (string)

package : rhbk/keycloak-rhel9-operator:24-18 (string)

product_name : Red Hat build of Keycloak 24 (string)

release_date : 2024-11-21T00:00:00Z (string)

}

3 : { »

advisory : RHSA-2024:10176 (string)

cpe : cpe:/a:redhat:build_keycloak:24 (string)

package : org.keycloak/keycloak-core (string)

product_name : Red Hat build of Keycloak 24.0.9 (string)

release_date : 2024-11-21T00:00:00Z (string)

}

4 : { »

advisory : RHSA-2024:10177 (string)

cpe : cpe:/a:redhat:build_keycloak:26.0::el9 (string)

package : rhbk/keycloak-operator-bundle:26.0.6-2 (string)

product_name : Red Hat build of Keycloak 26.0 (string)

release_date : 2024-11-21T00:00:00Z (string)

}

5 : { »

advisory : RHSA-2024:10177 (string)

cpe : cpe:/a:redhat:build_keycloak:26.0::el9 (string)

package : rhbk/keycloak-rhel9:26.0-5 (string)

product_name : Red Hat build of Keycloak 26.0 (string)

release_date : 2024-11-21T00:00:00Z (string)

}

6 : { »

advisory : RHSA-2024:10177 (string)

cpe : cpe:/a:redhat:build_keycloak:26.0::el9 (string)

package : rhbk/keycloak-rhel9-operator:26.0-6 (string)

product_name : Red Hat build of Keycloak 26.0 (string)

release_date : 2024-11-21T00:00:00Z (string)

}

7 : { »

advisory : RHSA-2024:10178 (string)

cpe : cpe:/a:redhat:build_keycloak:26 (string)

package : org.keycloak/keycloak-core (string)

product_name : Red Hat build of Keycloak 26.0.6 (string)

release_date : 2024-11-21T00:00:00Z (string)

}

]

bugzilla : { »

description : keycloak-core: mTLS passthrough (string)

id : 2319217 (string)

url : https://bugzilla.redhat.com/show_bug.cgi?id=2319217 (string)

}

csaw : false (boolean)

cvss3 : { »

cvss3_base_score : 7.1 (string)

cvss3_scoring_vector : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N (string)

status : verified (string)

}

cwe : CWE-295 (string)

details : [ »

0 : A vulnerability was found in Keycloak. Deployments of Keycloak with a reverse proxy not using pass-through termination of TLS, with mTLS enabled, are affected. This issue may allow an attacker on the local network to authenticate as any user or client that leverages mTLS as the authentication mechanism. (string)

]

name : CVE-2024-10039 (string)

package_state : [ »

0 : { »

cpe : cpe:/a:redhat:jboss_enterprise_application_platform:8 (string)

fix_state : Not affected (string)

package_name : org.keycloak/keycloak-core (string)

product_name : Red Hat JBoss Enterprise Application Platform 8 (string)

}

1 : { »

cpe : cpe:/a:redhat:red_hat_single_sign_on:7 (string)

fix_state : Affected (string)

package_name : org.keycloak/keycloak-core (string)

product_name : Red Hat Single Sign-On 7 (string)

}

]

public_date : 2024-11-21T16:45:00Z (string)

references : [ »

0 : https://www.cve.org/CVERecord?id=CVE-2024-10039 https://nvd.nist.gov/vuln/detail/CVE-2024-10039 (string)

]

statement : Red Hat Enterprise Application Platform does not ship the Keycloak server code and thus is not affected by this vulnerability. (string)

threat_severity : Important (string)

}

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Affected Vendors & Products

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object