5.5

CVE-2025-13467

Org.keycloak.storage.ldap: keycloak: deserialization of untrusted data in ldap user federation

Deserialization of Untrusted Data in LDAP User Federation

A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration.
Mögliche Gegenmaßnahme
Keycloak Server: Install latest version
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerKeycloak
Produkt Keycloak
Default Statusunaffected
Version 0
Version < 26.4.6
Status affected
HerstellerRed Hat
Produkt Red Hat build of Keycloak 26.2
Default Statusaffected
Version 26.2.11-1
Version < *
Status unaffected
HerstellerRed Hat
Produkt Red Hat build of Keycloak 26.2
Default Statusaffected
Version 26.2-12
Version < *
Status unaffected
HerstellerRed Hat
Produkt Red Hat build of Keycloak 26.2
Default Statusaffected
Version 26.2-12
Version < *
Status unaffected
HerstellerRed Hat
Produkt Red Hat build of Keycloak 26.2.11
Default Statusunaffected
HerstellerRed Hat
Produkt Red Hat build of Keycloak 26.4
Default Statusaffected
Version 26.4.6-1
Version < *
Status unaffected
HerstellerRed Hat
Produkt Red Hat build of Keycloak 26.4
Default Statusaffected
Version 26.4-6
Version < *
Status unaffected
HerstellerRed Hat
Produkt Red Hat build of Keycloak 26.4
Default Statusaffected
Version 26.4-5
Version < *
Status unaffected
HerstellerRed Hat
Produkt Red Hat build of Keycloak 26.4.6
Default Statusunaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Weitere Schwachstelleninformationen
SystemKeycloak
Produkt Keycloak Server
Version >= 0.0.0, < 26.2.11
Version >= 26.4.0, < 26.4.6
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.4% 0.316
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
secalert@redhat.com 5.5 2.3 2.7
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

https://access.redhat.com/errata/RHSA-2025:22089
https://access.redhat.com/errata/RHSA-2025:22091
https://access.redhat.com/security/cve/CVE-2025-13467
https://bugzilla.redhat.com/show_bug.cgi?id=2416038
https://access.redhat.com/errata/RHSA-2025:22090
https://access.redhat.com/errata/RHSA-2025:22088
https://github.com/keycloak/keycloak/commit/754c070cf8ca187dcc71f0f72ff3130ff2195328
https://github.com/keycloak/keycloak/issues/44478
https://github.com/keycloak/keycloak/security/advisories/GHSA-4hx9-48xh-5mxr
Third Party Advisory