Security
Headlines

Headlines Latest CVEs

Headline

GHSA-93ww-43rr-79v3: Keycloak mTLS Authentication Bypass via Reverse Proxy TLS Termination

A vulnerability was found in Keycloak. Deployments of Keycloak with a reverse proxy not using pass-through termination of TLS, with mTLS enabled, are affected. This issue may allow an attacker on the local network to authenticate as any user or client that leverages mTLS as the authentication mechanism.

10 hours ago

#vulnerability #git #java #auth #maven #ssl

GitHub Advisory Database
GitHub Reviewed
CVE-2024-10039

Keycloak mTLS Authentication Bypass via Reverse Proxy TLS Termination

High severity GitHub Reviewed Published Nov 25, 2024 in keycloak/keycloak

Package

maven org.keycloak:keycloak-core (Maven)

Affected versions

< 24.0.9

>= 25.0.0, < 26.0.6

A vulnerability was found in Keycloak. Deployments of Keycloak with a reverse proxy not using pass-through termination of TLS, with mTLS enabled, are affected. This issue may allow an attacker on the local network to authenticate as any user or client that leverages mTLS as the authentication mechanism.

References

GHSA-93ww-43rr-79v3
keycloak/keycloak#35217

Published to the GitHub Advisory Database

Nov 25, 2024

ghsa: Latest News

GHSA-486g-47cc-8wxf: aiocpa contains credential harvesting code

7 hours ago

GHSA-93ww-43rr-79v3: Keycloak mTLS Authentication Bypass via Reverse Proxy TLS Termination

10 hours ago

GHSA-jgwc-jh89-rpgq: Keycloak proxy header handling Denial-of-Service (DoS) vulnerability

10 hours ago

GHSA-xg58-75qf-9r67: Cilium's Layer 7 policy enforcement may not occur in policies with wildcarded port ranges

10 hours ago

GHSA-qqwr-j9mm-fhw6: deno_doc's HTML generator vulnerable to Cross-site Scripting

10 hours ago