Home > Vulnerability Database > CVE-2024-11736

Mend.io Vulnerability Database

CVE-2024-11736

Good to know:

Date: January 14, 2025

A vulnerability was found in Keycloak. Admin users may have to access sensitive server environment variables and system properties through user-configurable URLs. When configuring backchannel logout URLs or admin URLs, admin users can include placeholders like ${env.VARNAME} or ${PROPNAME}. The server replaces these placeholders with the actual values of environment variables or system properties during URL processing.

Severity Score

4.9

Related Resources (9)

Url: https://bugzilla.redhat.com/show_bug.cgi?id=2328850

Url: https://github.com/keycloak/keycloak/security/advisories/GHSA-f4v7-3mww-9gc2

Url: https://access.redhat.com/security/cve/CVE-2024-11736

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-11736

Url: https://access.redhat.com/errata/RHSA-2025:0299

Url: https://github.com/keycloak/keycloak

Url: https://github.com/keycloak/keycloak/commit/7a76858fe4aa39a39fb6b86dd3d2c113d9c59854

Url: https://access.redhat.com/errata/RHSA-2025:0300

Url: https://www.mend.io/vulnerability-database/CVE-2024-11736

Severity Score

4.9

Weakness Type (CWE)

Cleartext Storage of Sensitive Information in an Environment Variable

CWE-526

Top Fix

Upgrade Version

Upgrade to version org.keycloak:keycloak-saml-adapter-core:26.0.8;org.keycloak:keycloak-saml-adapter-core-jakarta:25.0.6;org.keycloak:keycloak-authz-client:26.0.4;org.keycloak:keycloak-authz-client:26.0.4;org.keycloak:keycloak-authz-client:26.0.4;org.keycloak:keycloak-common:26.0.8;org.keycloak:keycloak-common:26.0.8;org.keycloak:keycloak-common:26.0.8;org.keycloak:keycloak-services:1.5.0-Final;org.keycloak:keycloak-services:26.0.8;org.keycloak:keycloak-services:26.0.8;org.keycloak:keycloak-services:26.0.8;org.keycloak:keycloak-saml-core:26.0.8;org.keycloak:keycloak-saml-core:1.5.0-Final;org.keycloak:keycloak-saml-core:26.0.8;org.keycloak:keycloak-saml-core:26.0.8;org.keycloak:keycloak-model-jpa:1.5.0-Final;org.keycloak:keycloak-model-jpa:26.0.8;org.keycloak:keycloak-model-jpa:26.0.8;org.keycloak:keycloak-core:1.5.0-Final;org.keycloak:keycloak-core:26.0.8;org.keycloak:keycloak-core:26.0.8;org.keycloak:keycloak-core:26.0.8;org.kie:keycloak-kie-server-spring-boot-sample:7.60.0.Final;org.kie:keycloak-kie-server-spring-boot-sample:7.68.0.Final;org.jboss.aerogear.unifiedpush:unifiedpush-auth-server:1.0.2;org.teiid:vdb-base-builder:1.6.0;org.jboss.aerogear.unifiedpush:unifiedpush-server-eap:no_fix;io.syndesis.meta:meta:1.13.1;io.syndesis.meta:meta:1.13.1;io.fabric8.quickstarts:spring-boot-camel-soap-rest-bridge:no_fix;io.fabric8.quickstarts:spring-boot-camel-soap-rest-bridge:no_fix;io.fabric8.quickstarts:spring-boot-camel-soap-rest-bridge:no_fix;org.keycloak:keycloak-client-common-synced:26.0.3;org.keycloak:keycloak-client-common-synced:26.0.4

Learn More

CVSS v3.1

Base Score:	4.9
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-11736

Good to know:

Date: January 14, 2025

Severity Score

Related Resources (9)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?