{
  "threat_severity" : "Important",
  "public_date" : "2024-11-21T16:45:00Z",
  "bugzilla" : {
    "description" : "keycloak-core: mTLS passthrough",
    "id" : "2319217",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2319217"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-295",
  "details" : [ "A vulnerability was found in Keycloak. Deployments of Keycloak with a reverse proxy not using pass-through termination of TLS, with mTLS enabled, are affected. This issue may allow an attacker on the local network to authenticate as any user or client that leverages mTLS as the authentication mechanism." ],
  "statement" : "Red Hat Enterprise Application Platform does not ship the Keycloak server code and thus is not affected by this vulnerability.",
  "acknowledgement" : "This issue was discovered by Alexander Schwartz (Red Hat).",
  "affected_release" : [ {
    "product_name" : "Red Hat build of Keycloak 24",
    "release_date" : "2024-11-21T00:00:00Z",
    "advisory" : "RHSA-2024:10175",
    "cpe" : "cpe:/a:redhat:build_keycloak:24::el9",
    "package" : "rhbk/keycloak-operator-bundle:24.0.9-1"
  }, {
    "product_name" : "Red Hat build of Keycloak 24",
    "release_date" : "2024-11-21T00:00:00Z",
    "advisory" : "RHSA-2024:10175",
    "cpe" : "cpe:/a:redhat:build_keycloak:24::el9",
    "package" : "rhbk/keycloak-rhel9:24-18"
  }, {
    "product_name" : "Red Hat build of Keycloak 24",
    "release_date" : "2024-11-21T00:00:00Z",
    "advisory" : "RHSA-2024:10175",
    "cpe" : "cpe:/a:redhat:build_keycloak:24::el9",
    "package" : "rhbk/keycloak-rhel9-operator:24-18"
  }, {
    "product_name" : "Red Hat build of Keycloak 24.0.9",
    "release_date" : "2024-11-21T00:00:00Z",
    "advisory" : "RHSA-2024:10176",
    "cpe" : "cpe:/a:redhat:build_keycloak:24",
    "package" : "org.keycloak/keycloak-core"
  }, {
    "product_name" : "Red Hat build of Keycloak 26.0",
    "release_date" : "2024-11-21T00:00:00Z",
    "advisory" : "RHSA-2024:10177",
    "cpe" : "cpe:/a:redhat:build_keycloak:26.0::el9",
    "package" : "rhbk/keycloak-operator-bundle:26.0.6-2"
  }, {
    "product_name" : "Red Hat build of Keycloak 26.0",
    "release_date" : "2024-11-21T00:00:00Z",
    "advisory" : "RHSA-2024:10177",
    "cpe" : "cpe:/a:redhat:build_keycloak:26.0::el9",
    "package" : "rhbk/keycloak-rhel9:26.0-5"
  }, {
    "product_name" : "Red Hat build of Keycloak 26.0",
    "release_date" : "2024-11-21T00:00:00Z",
    "advisory" : "RHSA-2024:10177",
    "cpe" : "cpe:/a:redhat:build_keycloak:26.0::el9",
    "package" : "rhbk/keycloak-rhel9-operator:26.0-6"
  }, {
    "product_name" : "Red Hat build of Keycloak 26.0.6",
    "release_date" : "2024-11-21T00:00:00Z",
    "advisory" : "RHSA-2024:10178",
    "cpe" : "cpe:/a:redhat:build_keycloak:26",
    "package" : "org.keycloak/keycloak-core"
  }, {
    "product_name" : "Red Hat Single Sign-On 7",
    "release_date" : "2025-07-23T00:00:00Z",
    "advisory" : "RHSA-2025:11645",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8",
    "fix_state" : "Not affected",
    "package_name" : "keycloak-core",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8"
  }, {
    "product_name" : "Red Hat Single Sign-On 7",
    "fix_state" : "Affected",
    "package_name" : "org.keycloak/keycloak-core",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-10039\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-10039" ],
  "name" : "CVE-2024-10039",
  "csaw" : false
}