CVE-2024-10451: 
Java vulnerability analysis and mitigation

A security vulnerability (CVE-2024-10451) was discovered in Keycloak affecting versions up to 26.0.2. The vulnerability occurs when sensitive runtime values, such as passwords, are captured during the Keycloak build process and embedded as default values in bytecode, leading to potential information disclosure. In Keycloak 26, sensitive data specified directly in environment variables during the build process is stored as default values, making it accessible during runtime (NVD).

The vulnerability stems from the unconditional expansion of environment variables by PropertyMapper logic, which affects options with the 'kc' prefix, SPI runtime options, and Quarkus properties. This behavior results in sensitive data being embedded into the bytecode during the build process. The vulnerability has been assigned a CVSS v3.1 base score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating potential remote exploitation with no authentication required (NVD).

The vulnerability could lead to unintended information disclosure of sensitive data in production builds. Sensitive runtime values, including passwords and other confidential information specified in environment variables, may be exposed during runtime due to their embedding in the bytecode (NVD).

Red Hat has released security updates to address this vulnerability across multiple versions of Keycloak. Updates are available for Keycloak 24.0.9 and 26.0.6, which include fixes for this issue. Users are advised to upgrade to the patched versions (Red Hat Advisory, Red Hat Advisory).