5.4
CVE-2025-1391
- EPSS 0.02%
- Published 17.02.2025 14:15:08
- Last modified 10.03.2025 19:15:39
- Source secalert@redhat.com
- Teams watchlist Login
- Open Login
A flaw was found in the Keycloak organization feature, which allows the incorrect assignment of an organization to a user if their username or email matches the organization’s domain pattern. This issue occurs at the mapper level, leading to misrepresentation in tokens. If an application relies on these claims for authorization, it may incorrectly assume a user belongs to an organization they are not a member of, potentially granting unauthorized access or privileges.
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
This information is available to logged-in users. Login
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Collection URLhttps://github.com/keycloak/keycloak
≫
Package
keycloak-services
Default Statusunaffected
Version <
26.0.10
Version
26.0.0
Status
affected
VendorRed Hat
≫
Product
Red Hat Build of Keycloak
Default Statusunaffected
VendorRed Hat
≫
Product
Red Hat build of Keycloak 26.0
Default Statusaffected
Version <
*
Version
26.0.10-3
Status
unaffected
VendorRed Hat
≫
Product
Red Hat build of Keycloak 26.0
Default Statusaffected
Version <
*
Version
26.0-11
Status
unaffected
VendorRed Hat
≫
Product
Red Hat build of Keycloak 26.0
Default Statusaffected
Version <
*
Version
26.0-12
Status
unaffected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.02% | 0.05 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| secalert@redhat.com | 5.4 | 2.8 | 2.5 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
|
CWE-284 Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.