CVE-2024-10451

Name of the Vulnerable Software and Affected Versions: Keycloak versions prior to 26.0.2

Description: A flaw was found in Keycloak, where sensitive runtime values, such as passwords, may be captured during the Keycloak build process and embedded as default values in bytecode, leading to unintended information disclosure. In Keycloak 26, sensitive data specified directly in environment variables during the build process is also stored as default values, making it accessible during runtime. Indirect usage of environment variables for SPI options and Quarkus properties is also vulnerable due to unconditional expansion by PropertyMapper logic, capturing sensitive data as default values.

Recommendations: For Keycloak versions prior to 26.0.2, update to version 26.0.2 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive environment variables and Quarkus properties to minimize the risk of exploitation. Avoid using environment variables for SPI options and Quarkus properties until the issue is resolved.