CVE-2025-3501

EPSS 0.09%
Veröffentlicht 29.04.2025 20:45:29
Zuletzt bearbeitet 15.04.2026 00:35:42
Quelle secalert@redhat.com
CVE-Watchlists
Login
Unerledigt
Login

Org.keycloak.protocol.services: keycloak hostname verification

Keycloak hostname verification

A flaw was found in Keycloak. By setting a verification policy to 'ALL', the trust store certificate verification is skipped, which is unintended.

Mögliche Gegenmaßnahme

Keycloak Server: Install latest version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 12

CNA 10 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Collection URLhttps://www.keycloak.org/

≫

Paket keycloak

Default Statusunaffected

Version 25.0.0

Version < 25.*

Status affected

Version 26.0.0

Version < 26.0.11

Status affected

Version 26.1.0

Version < 26.1.*

Status unknown

Version 26.2.0

Version < 26.2.2

Status affected

HerstellerRed Hat

≫

Produkt Red Hat Build of Keycloak

Default Statusunaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26

Default Statusunaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.0

Default Statusaffected

Version 26.0.11-2

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.0

Default Statusaffected

Version 26.0-12

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.0

Default Statusaffected

Version 26.0-13

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.2

Default Statusaffected

Version 26.2.5-1

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.2

Default Statusaffected

Version 26.2-4

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.2

Default Statusaffected

Version 26.2-4

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat Single Sign-On 7

Default Statusunaffected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemKeycloak

≫

Produkt Keycloak Server

Version < 26.2.2

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.09%	0.26

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
secalert@redhat.com	8.2	3.9	4.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CWE-297 Improper Validation of Certificate with Host Mismatch

The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host.

https://access.redhat.com/security/cve/CVE-2025-3501

https://bugzilla.redhat.com/show_bug.cgi?id=2358834

https://access.redhat.com/errata/RHSA-2025:4335

https://access.redhat.com/errata/RHSA-2025:4336

https://access.redhat.com/errata/RHSA-2025:8672

https://access.redhat.com/errata/RHSA-2025:8690

https://github.com/keycloak/keycloak/issues/39350

https://github.com/keycloak/keycloak/pull/39366

https://github.com/keycloak/keycloak/security/advisories/GHSA-hw58-3793-42gg

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-3501

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-3501

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-3501

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-3501