Description
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
dependencies
Describe the bug
- Package Manager: maven
- Vulnerable module: io.vertx:vertx-core
- Introduced through: org.keycloak:keycloak-operator@999.0.0-SNAPSHOT, io.quarkus:quarkus-kubernetes-client@3.20.1 and others
Detailed paths
- Introduced through: org.keycloak:keycloak-operator@999.0.0-SNAPSHOT › io.quarkus:quarkus-kubernetes-client@3.20.1 › io.fabric8:kubernetes-httpclient-vertx@7.1.0 › io.vertx:vertx-core@4.5.14
Overview
io.vertx:vertx-core is a tool-kit for building reactive applications on the JVM.
Affected versions of this package are vulnerable to Exposure of Resource to Wrong Sphere via the duplicated context process. An attacker can access sensitive data from another transaction by triggering the duplication of an already duplicated context.
Note:
Duplicating a duplicated context is rather rare and is only done in a few places:
- Quarkus REST Client when using OTel (but it's the same transaction, so no leak)
- Quarkus Messaging connectors
- Quarkus SmallRye Health (same transaction, so no leak)
Workaround
When duplicating a duplicated context, the following code can be done to avoid the potential leak:
((ContextInternal) VertxContext.getRootContext(ctx)).duplicate()
Remediation
Upgrade io.vertx:vertx-core to version 4.5.16 or higher.
References
Version
26.2.5
Regression
- The issue is a regression
Expected behavior
No CVE reports.
Actual behavior
CVE reported.
How to Reproduce?
Check: https://github.com/keycloak/keycloak/security/code-scanning/2839
Anything else?
EDIT: Will be solved by the #40591