Impact
The flaw allows someone who holds the manage‑realm role in Keycloak to submit an arbitrary filesystem path as the keystore parameter when creating a key provider component. This gives the attacker the ability to probe whether specific files exist and are readable by the Keycloak process, thereby revealing filesystem contents that should remain hidden. The impact is an information‑disclosure flaw that could be leveraged by an attacker to locate sensitive configuration or data files for use in subsequent attacks. The vulnerability is a classic Path Traversal weakness, corresponding to CWE‑22.
Affected Systems
The affected product is the Red Hat Build of Keycloak. No specific version range is provided, so all deployments of this vendor product may be susceptible until a patch becomes available.
Risk and Exploitability
The CVSS score of 4.9 indicates moderate severity. An attacker needs the manage‑realm role, limiting exploitation to users with elevated privileges within the realm. EPSS is not available and the flaw is not listed in CISA’s KEV catalog, indicating that public exploitation has not yet been reported. The primary impact remains information disclosure, yet the disclosed data could aid further attack attempts.
OpenCVE Enrichment