{"containers": {"cna": {"affected": [{"product": "keycloak", "vendor": "n/a", "versions": [{"status": "affected", "version": "Fixed in 15.1.0"}]}], "descriptions": [{"lang": "en", "value": "ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader. By sending requests for theme resources with a relative path from an external HTTP client, the client will receive the content of random files if available."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-552", "description": "CWE-552 - Files or Directories Accessible to External Parties", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-08-26T15:25:39.000Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://issues.redhat.com/browse/KEYCLOAK-19422"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/keycloak/keycloak/pull/8588"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/keycloak/keycloak/commit/73f0474008e1bebd0733e62a22aceda9e5de6743"}, {"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010164"}, {"tags": ["x_refsource_MISC"], "url": "https://access.redhat.com/security/cve/CVE-2021-3856"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T17:09:09.556Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://issues.redhat.com/browse/KEYCLOAK-19422"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/keycloak/keycloak/pull/8588"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/keycloak/keycloak/commit/73f0474008e1bebd0733e62a22aceda9e5de6743"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010164"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://access.redhat.com/security/cve/CVE-2021-3856"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2021-3856", "datePublished": "2022-08-26T15:25:39.000Z", "dateReserved": "2021-10-04T00:00:00.000Z", "dateUpdated": "2024-08-03T17:09:09.556Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*", "matchCriteriaId": "08FEF5EB-2BDF-45E6-988A-D9B04FC9281D", "versionEndExcluding": "15.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader. By sending requests for theme resources with a relative path from an external HTTP client, the client will receive the content of random files if available."}, {"lang": "es", "value": "ClassLoaderTheme y ClasspathThemeResourceProviderFactory permiten leer cualquier archivo disponible como recurso para el cargador de clases. Al enviar peticiones de recursos de temas con una ruta relativa desde un cliente HTTP externo, el cliente recibir\u00e1 el contenido de archivos aleatorios si est\u00e1n disponibles."}], "id": "CVE-2021-3856", "lastModified": "2024-11-21T06:22:39.990", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-08-26T16:15:09.570", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2021-3856"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010164"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/keycloak/keycloak/commit/73f0474008e1bebd0733e62a22aceda9e5de6743"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/keycloak/keycloak/pull/8588"}, {"source": "secalert@redhat.com", "tags": ["Permissions Required", "Vendor Advisory"], "url": "https://issues.redhat.com/browse/KEYCLOAK-19422"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2021-3856"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010164"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/keycloak/keycloak/commit/73f0474008e1bebd0733e62a22aceda9e5de6743"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/keycloak/keycloak/pull/8588"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required", "Vendor Advisory"], "url": "https://issues.redhat.com/browse/KEYCLOAK-19422"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-552"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Geir Emblemsv\u00e5g, Hallvard Nyg\u00e5rd, and Johannes Knutsen for reporting this issue.", "affected_release": [{"advisory": "RHBA-2022:5452", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7", "package": "rh-sso7-0:1-4.el7sso", "product_name": "Red Hat Single Sign-On 7.6 for RHEL 7", "release_date": "2022-06-30T00:00:00Z"}, {"advisory": "RHBA-2022:5452", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7", "package": "rh-sso7-javapackages-tools-0:3.4.1-5.15.3.jbcs.el7", "product_name": "Red Hat Single Sign-On 7.6 for RHEL 7", "release_date": "2022-06-30T00:00:00Z"}, {"advisory": "RHBA-2022:5452", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7", "package": "rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el7sso", "product_name": "Red Hat Single Sign-On 7.6 for RHEL 7", "release_date": "2022-06-30T00:00:00Z"}, {"advisory": "RHBA-2022:5454", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8", "package": "rh-sso7-0:1-4.el8sso", "product_name": "Red Hat Single Sign-On 7.6 for RHEL 8", "release_date": "2022-06-30T00:00:00Z"}, {"advisory": "RHBA-2022:5454", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8", "package": "rh-sso7-javapackages-tools-0:3.4.1-5.15.6.el8sso", "product_name": "Red Hat Single Sign-On 7.6 for RHEL 8", "release_date": "2022-06-30T00:00:00Z"}, {"advisory": "RHBA-2022:5454", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8", "package": "rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el8sso", "product_name": "Red Hat Single Sign-On 7.6 for RHEL 8", "release_date": "2022-06-30T00:00:00Z"}], "bugzilla": {"description": "keycloak-services: ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader", "id": "2010164", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010164"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "status": "verified"}, "cwe": "CWE-22", "details": ["ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader. By sending requests for theme resources with a relative path from an external HTTP client, the client will receive the content of random files if available."], "name": "CVE-2021-3856", "package_state": [{"cpe": "cpe:/a:redhat:amq_online:1", "fix_state": "Out of support scope", "package_name": "keycloak-services", "product_name": "Red Hat A-MQ Online"}], "public_date": "2021-10-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-3856\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-3856"], "threat_severity": "Low"}

{}