CVE-2021-3856

CWE-552Files Accessible to External PartiesCWE-22Path Traversal5 documents5 sources
Severity
4.3MEDIUM
EPSS
0.4%
top 41.55%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Redhat Keycloak
Timeline
PublishedAug 26
Latest updateAug 27

Description

ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader. By sending requests for theme resources with a relative path from an external HTTP client, the client will receive the content of random files if available.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

NVDredhat/keycloak< 15.1.0
CVEListV5keycloakFixed in 15.1.0

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

3
GHSA
Keycloak has Files or Directories Accessible to External Parties2022-08-27
OSV
Keycloak has Files or Directories Accessible to External Parties2022-08-27
CVEList
CVE-2021-3856: ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader2022-08-26

📋Vendor Advisories

1
Red Hat
keycloak-services: ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader2021-10-04
CVE-2021-3856 (MEDIUM CVSS 4.3) | ClassLoaderTheme and ClasspathTheme | cvebase.io