Search for vulnerabilities
Vulnerability details: VCID-9mrp-8k8r-dkcf
Vulnerability ID VCID-9mrp-8k8r-dkcf
Aliases CVE-2021-3856
GHSA-3w4v-rvc4-2xpw
Summary Keycloak has Files or Directories Accessible to External Parties ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader. By sending requests for theme resources with a relative path from an external HTTP client, the client will receive the content of random files if available.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-552 Files or Directories Accessible to External Parties
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 4.3 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3856.json
cvssv3.1 4.3 https://access.redhat.com/security/cve/CVE-2021-3856
generic_textual MODERATE https://access.redhat.com/security/cve/CVE-2021-3856
epss 0.0016 https://api.first.org/data/v1/epss?cve=CVE-2021-3856
epss 0.0016 https://api.first.org/data/v1/epss?cve=CVE-2021-3856
epss 0.0016 https://api.first.org/data/v1/epss?cve=CVE-2021-3856
epss 0.0016 https://api.first.org/data/v1/epss?cve=CVE-2021-3856
epss 0.0016 https://api.first.org/data/v1/epss?cve=CVE-2021-3856
epss 0.0016 https://api.first.org/data/v1/epss?cve=CVE-2021-3856
epss 0.0016 https://api.first.org/data/v1/epss?cve=CVE-2021-3856
epss 0.0016 https://api.first.org/data/v1/epss?cve=CVE-2021-3856
epss 0.0016 https://api.first.org/data/v1/epss?cve=CVE-2021-3856
epss 0.0016 https://api.first.org/data/v1/epss?cve=CVE-2021-3856
epss 0.0016 https://api.first.org/data/v1/epss?cve=CVE-2021-3856
epss 0.0016 https://api.first.org/data/v1/epss?cve=CVE-2021-3856
epss 0.0016 https://api.first.org/data/v1/epss?cve=CVE-2021-3856
epss 0.0016 https://api.first.org/data/v1/epss?cve=CVE-2021-3856
epss 0.0016 https://api.first.org/data/v1/epss?cve=CVE-2021-3856
epss 0.0016 https://api.first.org/data/v1/epss?cve=CVE-2021-3856
epss 0.0016 https://api.first.org/data/v1/epss?cve=CVE-2021-3856
epss 0.0016 https://api.first.org/data/v1/epss?cve=CVE-2021-3856
cvssv3.1 4.3 https://bugzilla.redhat.com/show_bug.cgi?id=2010164
generic_textual MODERATE https://bugzilla.redhat.com/show_bug.cgi?id=2010164
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-3w4v-rvc4-2xpw
cvssv3.1 4.3 https://github.com/keycloak/keycloak
generic_textual MODERATE https://github.com/keycloak/keycloak
cvssv3.1 4.3 https://github.com/keycloak/keycloak/commit/73f0474008e1bebd0733e62a22aceda9e5de6743
generic_textual MODERATE https://github.com/keycloak/keycloak/commit/73f0474008e1bebd0733e62a22aceda9e5de6743
cvssv3.1 4.3 https://github.com/keycloak/keycloak/pull/8588
generic_textual MODERATE https://github.com/keycloak/keycloak/pull/8588
cvssv3.1 4.3 https://issues.redhat.com/browse/KEYCLOAK-19422
generic_textual MODERATE https://issues.redhat.com/browse/KEYCLOAK-19422
cvssv3.1 4.3 https://nvd.nist.gov/vuln/detail/CVE-2021-3856
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2021-3856
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3856.json
https://access.redhat.com/security/cve/CVE-2021-3856
https://api.first.org/data/v1/epss?cve=CVE-2021-3856
https://bugzilla.redhat.com/show_bug.cgi?id=2010164
https://github.com/keycloak/keycloak
https://github.com/keycloak/keycloak/commit/73f0474008e1bebd0733e62a22aceda9e5de6743
https://github.com/keycloak/keycloak/pull/8588
https://issues.redhat.com/browse/KEYCLOAK-19422
https://nvd.nist.gov/vuln/detail/CVE-2021-3856
cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*
GHSA-3w4v-rvc4-2xpw https://github.com/advisories/GHSA-3w4v-rvc4-2xpw
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3856.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://access.redhat.com/security/cve/CVE-2021-3856
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://bugzilla.redhat.com/show_bug.cgi?id=2010164
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/keycloak/keycloak
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/keycloak/keycloak/commit/73f0474008e1bebd0733e62a22aceda9e5de6743
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/keycloak/keycloak/pull/8588
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://issues.redhat.com/browse/KEYCLOAK-19422
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2021-3856
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.37617
EPSS Score 0.0016
Published At July 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T09:03:16.716514+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-3w4v-rvc4-2xpw/GHSA-3w4v-rvc4-2xpw.json 37.0.0