Miggo Logo

CVE-2017-15112: keycloak-httpd-client-install Insecure Secrets

7.8

CVSS Score
3.0

Basic Information

EPSS Score
0.15917%
Published
5/14/2022
Updated
9/7/2023
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
keycloak-httpd-client-installpip< 0.80.8

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from password handling via command line arguments. The patch explicitly replaces '-p/--admin-password' arguments with file-based alternatives and adds deprecation warnings. The original functions handling these arguments in both main script (bin/keycloak-httpd-client-install) and CLI utility (keycloak_cli.py) directly accepted passwords through insecure channels. The commit diff shows these argument handlers were modified to prevent command line exposure, confirming their role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

k*y*lo*k-*ttp*-*li*nt-inst*ll v*rsions ***or* *.* *llow us*rs to ins**ur*ly p*ss p*sswor* t*rou** *omm*n* lin*, l**kin* it vi* *omm*n* *istory *n* pro**ss in*o to ot**r lo**l us*rs.

Reasoning

T** vuln*r**ility st*ms *rom p*sswor* **n*lin* vi* *omm*n* lin* *r*um*nts. T** p*t** *xpli*itly r*pl***s '-p/--**min-p*sswor*' *r*um*nts wit* *il*-**s** *lt*rn*tiv*s *n* ***s **pr***tion w*rnin*s. T** ori*in*l *un*tions **n*lin* t**s* *r*um*nts in *o