Authentication Bypass Vulnerability in Keycloak by Red Hat
CVE-2025-0604

5.4MEDIUM

Key Information:

Vendor: Red Hat
Status: Red Hat Build Of Keycloak; Red Hat Single Sign-on 7
Vendor: CVE Published:; 22 January 2025

Summary

A vulnerability exists in Keycloak where the system fails to validate new password credentials against Active Directory (AD) during a user password reset. As a result, users with expired or disabled AD accounts may regain unauthorized access to Keycloak, circumventing the established security restrictions. This flaw poses a significant risk as it may lead to authentication bypass, potentially allowing malicious actors to exploit user accounts under certain conditions.

References

https://access.redhat.com/security/cve/CVE-2025-0604

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2338993

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 22, 2025
Vulnerability Reserved
Jan 20, 2025

Credit

Red Hat would like to thank Dwayne Du for reporting this issue.