CVE-2017-15112: keycloak-httpd-client-install Insecure Secrets
7.8
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.15917%
CWE
Published
5/14/2022
Updated
9/7/2023
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
keycloak-httpd-client-install | pip | < 0.8 | 0.8 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from password handling via command line arguments. The patch explicitly replaces '-p/--admin-password' arguments with file-based alternatives and adds deprecation warnings. The original functions handling these arguments in both main script (bin/keycloak-httpd-client-install
) and CLI utility (keycloak_cli.py
) directly accepted passwords through insecure channels. The commit diff shows these argument handlers were modified to prevent command line exposure, confirming their role in the vulnerability.