{}

{}

{}

{"acknowledgement": "Red Hat would like to thank philliphnguyen for reporting this issue.", "bugzilla": {"description": "keycloak: CLI option for encrypted JGroups ignored", "id": "2324361", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2324361"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.7", "cvss3_scoring_vector": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-319", "details": ["A vulnerability was found in Keycloak. The environment option `KC_CACHE_EMBEDDED_MTLS_ENABLED` does not work and the JGroups replication configuration is always used in plain text which can allow an attacker that has access to adjacent networks related to JGroups to read sensitive information."], "name": "CVE-2024-10973", "package_state": [{"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Not affected", "package_name": "org.keycloak/keycloak-quarkus-server", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "org.keycloak/keycloak-quarkus-server", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "org.keycloak/keycloak-quarkus-server", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}], "public_date": "2024-11-07T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-10973\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-10973"], "statement": "After evaluation of this vulnerability, Keycloak 22 and 24 are not affected. Red Hat currently only ships Red Hat Build of Keycloak 22 and 24.", "threat_severity": "Moderate"}