org.keycloak:keycloak-services is vulnerable to information disclosure. A remote authenticated attacker is able to gain access to restricted resources by sending a crafted request with a relative path from an external HTTP client. The malicious client will receive the content of the requested random files if available, due to the insufficient validations in getResourceAsStream
and getResourceAsStream
functions.
CPE | Name | Operator | Version |
---|---|---|---|
keycloak rest services | le | 15.0.2 | |
keycloak rest services | le | 15.0.2 |