Infinispan CVE cve-2021-31917 on keycloak 15.0

jayrajput · November 9, 2021, 2:47pm

Is keycloak 15.0 impacted by the following infinispan CVE?

https://access.redhat.com/security/cve/cve-2021-31917

CVE quick description: A flaw was found in Red Hat DataGrid and Infinispan. An attacker could bypass authentication on all REST endpoints when DIGEST is used as the authentication method. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

stropia · November 9, 2021, 5:09pm

Keycloak by default use embedded infinispan and REST endpoints are not exposed. They are exposed if you use a separate infinispan cluster, but even then you can define what kind of authorization will you use and how would you expose your REST endpoints.

jayrajput · November 10, 2021, 7:26am

Thanks for the response.

Topic		Replies	Views
Are any distributions of Keycloak vulnerable to Bug 1955113 (CVE-2021-31917)? Getting advice	0	335	February 3, 2022
Integrate keycloak with remote infinispan server Securing applications	2	951	July 28, 2020
Keycloak 20.0.5 with infinispan 14.0.21.Final	1	401	February 1, 2024
Keycloak restarts if Infinispan restarts Configuring the server	0	259	March 16, 2023
Keycloak can not validate token in standalone-ha mode (invalid_token) authentication	4	1824	June 11, 2021

Infinispan CVE cve-2021-31917 on keycloak 15.0

Related Topics