Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-3856: [KEYCLOAK-19422] ClassLoaderTheme and ClasspathThemeResourceProviderF… · keycloak/keycloak@73f0474

ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader. By sending requests for theme resources with a relative path from an external HTTP client, the client will receive the content of random files if available.

CVE
Open in Source
#ssl

@@ -73,6 +73,18 @@ public void getMessages() {

});

}

@Test

public void getResourceIllegalTraversal() {

testingClient.server().run(session -> {

try {

Theme theme = session.theme().getTheme("base", Theme.Type.LOGIN);

Assert.assertNull(theme.getResourceAsStream(“…/templates/test.ftl”));

} catch (IOException e) {

Assert.fail(e.getMessage());

}

});

}

@Test

public void gzipEncoding() throws IOException {

final String resourcesVersion = testingClient.server().fetch(session -> Version.RESOURCES_VERSION, String.class);

Related news

GHSA-3w4v-rvc4-2xpw: Keycloak has Files or Directories Accessible to External Parties

ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader. By sending requests for theme resources with a relative path from an external HTTP client, the client will receive the content of random files if available.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE