CVE-2025-9162

EPSS 0.03%
Veröffentlicht 21.08.2025 15:40:25
Zuletzt bearbeitet 15.04.2026 00:35:42
Quelle secalert@redhat.com
CVE-Watchlists
Login
Unerledigt
Login

Org.keycloak/keycloak-model-storage-service: variable injection into environment variables

Variable resolution on imports can expose environment variables

A flaw was found in org.keycloak/keycloak-model-storage-service. The KeycloakRealmImport custom resource substitutes placeholders within imported realm documents, potentially referencing environment variables. This substitution process
allows for injection attacks when crafted realm documents are processed. An attacker can leverage this to inject malicious content during the realm import procedure. This can lead to unintended consequences within the Keycloak environment.

Mögliche Gegenmaßnahme

Keycloak Server: Install latest version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 12

CNA 13 VulnDex Vulnerability Enrichment 3

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerKeycloak

≫

Produkt keycloak

Default Statusunaffected

Version 0

Version < 26.3.4

Status affected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.0

Default Statusunaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.0

Default Statusaffected

Version 26.0.15-1

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.0

Default Statusaffected

Version 26.0-18

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.0

Default Statusaffected

Version 26.0-19

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.2

Default Statusunaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.2

Default Statusaffected

Version 26.2.8-1

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.2

Default Statusaffected

Version 26.2-8

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.2

Default Statusaffected

Version 26.2-8

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.2

Default Statusaffected

Version 26.2.9-1

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.2

Default Statusaffected

Version 26.2-9

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.2

Default Statusaffected

Version 26.2-9

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.2.9

Default Statusunaffected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemKeycloak

≫

Produkt Keycloak Server

Version >= 0.0.0, < 26.2.9

Version >= 26.3.0, < 26.3.4

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.1

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
secalert@redhat.com	4.9	1.2	3.6	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CWE-526 Cleartext Storage of Sensitive Information in an Environment Variable

The product uses an environment variable to store unencrypted sensitive information.

https://access.redhat.com/security/cve/CVE-2025-9162

https://bugzilla.redhat.com/show_bug.cgi?id=2389396

https://access.redhat.com/errata/RHSA-2025:15336

https://access.redhat.com/errata/RHSA-2025:15337

https://access.redhat.com/errata/RHSA-2025:15338

https://access.redhat.com/errata/RHSA-2025:15339

https://access.redhat.com/errata/RHSA-2025:16399

https://access.redhat.com/errata/RHSA-2025:16400

https://github.com/keycloak/keycloak/security/advisories/GHSA-8hxp-qmph-w5gq

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-9162

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-9162

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-9162

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-9162