CVE-2025-1391
MEDIUM5.4EPSS 0.09%Improper Authorization in Keycloak Organization Mapper Allows Unauthorized Organization Claims
發布日:2025/3/10修改日:2025/3/10
描述
This vulnerability is caused by the improper mapping of users to organizations based solely on email/username patterns. The issue is limited to the token claim level, meaning the user is not truly added to the organization but may appear as such in applications relying on these claims. The risk increases in scenarios where self-registration is enabled and unrestricted, allowing an attacker to exploit the naming pattern. The issue is mitigated if admins restrict registration or use strict validation mechanisms.
受影響套件(1)
- Maven/org.keycloak:keycloak-services>= 26.1.0, < 26.1.3
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
參考連結(7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-1391
- PATCHhttps://github.com/keycloak/keycloak
- WEBhttps://access.redhat.com/errata/RHSA-2025:2545
- WEBhttps://access.redhat.com/security/cve/CVE-2025-1391
- WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=2346082
- WEBhttps://github.com/keycloak/keycloak/commit/5aa2b4c75bb474303ab807017582bc01a9f7e378
- WEBhttps://github.com/keycloak/keycloak/security/advisories/GHSA-gvgg-2r3r-53x7