Closed vsun757 closed 3 weeks ago
Also, CVE-2024-29857 and CVE-2024-30171 still appear to be present on Keycloak version 25.0.2
CVE-2024-29857 and CVE-2024-30171 are resolved in 25.0.2 as it is using BouncyCastle 1.78.1
.
CVE-2024-5203 will be fixed in https://github.com/keycloak/keycloak/issues/30389, so this is a duplicate
For CVE-2024-29857, it appears to be affecting org.bouncycastle:bc-fips, which is using version 1.0.2.4, and the fix version is version 1.0.2.5
File path is opt/keycloak/providers/bc-fips-1.0.2.4.jar
@stianst it looks like #30389 was closed without a fix, are they saying it's a false positive?
Description
CVE-2024-5203 - org.keycloak:keycloak-services, org.keycloak:keycloak-server-spi-private affecting Keycloak version 25.0.2