CVE-2025-13467
MEDIUM5.5EPSS 0.06%Keycloak LDAP User Federation provider enables admin-triggered untrusted Java deserialization
發布日:2025/12/19修改日:2026/2/17
描述
A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration. ### Mitigation Disable LDAP referrals in all LDAP user providers in all realms if projects cannot upgrade to the patched versions.
受影響套件(1)
- Maven/org.keycloak:keycloak-ldap-federation>= 26.3.0, < 26.4.6
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.5 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N |
參考連結(10)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-13467
- PATCHhttps://github.com/keycloak/keycloak
- WEBhttps://access.redhat.com/errata/RHSA-2025:22088
- WEBhttps://access.redhat.com/security/cve/CVE-2025-13467
- WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=2416038
- WEBhttps://github.com/keycloak/keycloak/commit/754c070cf8ca187dcc71f0f72ff3130ff2195328
- WEBhttps://github.com/keycloak/keycloak/commit/b90fec41ff17a70858d830750156a8a2e13ddb82
- WEBhttps://github.com/keycloak/keycloak/issues/44478
- WEBhttps://github.com/keycloak/keycloak/releases/tag/26.4.6
- WEBhttps://github.com/keycloak/keycloak/security/advisories/GHSA-4hx9-48xh-5mxr