Exposure of Sensitive Information Through Environmental Variables Affecting org.keycloak:keycloak-core package, versions [,26.0.8)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JAVA-ORGKEYCLOAK-8622552
- published14 Jan 2025
- disclosed13 Jan 2025
- creditSteven Hawkins
Introduced: 13 Jan 2025
NewCVE-2024-11736 (opens in a new tab)How to fix?
Upgrade org.keycloak:keycloak-core to version 26.0.8 or higher.
Overview
org.keycloak:keycloak-core is an open source identity and access management solution.
Affected versions of this package are vulnerable to Exposure of Sensitive Information Through Environmental Variables through user-configurable URLs.
Exploiting this vulnerability is possible with the configuration of backchannel logout URLs or admin URLs, when including placeholders like ${env.VARNAME} or ${PROPNAME}, which are replaced with actual values during URL processing. An attacker can access sensitive server environment variables and system properties.