search

keycloak / keycloak

Open Source Identity and Access Management For Modern Applications and Services
https://www.keycloak.org
Apache License 2.0
22.13k stars 6.6k forks source link

CVE-2024-5203 - org.keycloak:keycloak-services, org.keycloak:keycloak-server-spi-private, Keycloak 25.0.2 additional vulnerabities #31986

Closed vsun757 closed 3 weeks ago

vsun757 commented 1 month ago

Description

CVE-2024-5203 - org.keycloak:keycloak-services, org.keycloak:keycloak-server-spi-private affecting Keycloak version 25.0.2

vsun757 commented 1 month ago

Also, CVE-2024-29857 and CVE-2024-30171 still appear to be present on Keycloak version 25.0.2

stianst commented 3 weeks ago

CVE-2024-29857 and CVE-2024-30171 are resolved in 25.0.2 as it is using BouncyCastle 1.78.1.

stianst commented 3 weeks ago

CVE-2024-5203 will be fixed in https://github.com/keycloak/keycloak/issues/30389, so this is a duplicate

vsun757 commented 3 weeks ago

For CVE-2024-29857, it appears to be affecting org.bouncycastle:bc-fips, which is using version 1.0.2.4, and the fix version is version 1.0.2.5

File path is opt/keycloak/providers/bc-fips-1.0.2.4.jar

vsun757 commented 5 days ago

@stianst it looks like #30389 was closed without a fix, are they saying it's a false positive?