Skip to main content

Files or Directories Accessible to External Parties

CVE-2021-3856

Severity Medium
Score 4.3/10

Summary

A flaw was found in Keycloak versions prior to 15.1.0 is vulnerable to ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader. By sending requests for theme resources with a relative path from an external HTTP client, the client will receive the content of random files if available.

  • LOW
  • NETWORK
  • NONE
  • UNCHANGED
  • NONE
  • LOW
  • LOW
  • NONE

CWE-552 - Files or Directories Accessible to External Parties

The product makes files or directories accessible to unauthorized actors, even though they should not be.

Advisory Timeline

  • Published