A flaw was found in Keycloak. When an Active Directory user resets their password, the system updates it without performing an LDAP bind to validate the new credentials against AD. This vulnerability allows users whose AD accounts are expired or disabled to regain access in Keycloak, bypassing AD restrictions. The issue enables authentication bypass and could allow unauthorized access under certain conditions.
Metrics
Affected Vendors & Products
References
History
Thu, 23 Jan 2025 01:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
| |
Metrics |
threat_severity
|
threat_severity
|
Wed, 22 Jan 2025 15:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Wed, 22 Jan 2025 14:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | A flaw was found in Keycloak. When an Active Directory user resets their password, the system updates it without performing an LDAP bind to validate the new credentials against AD. This vulnerability allows users whose AD accounts are expired or disabled to regain access in Keycloak, bypassing AD restrictions. The issue enables authentication bypass and could allow unauthorized access under certain conditions. | |
Title | Keycloak-ldap-federation: authentication bypass due to missing ldap bind after password reset in keycloak | |
First Time appeared |
Redhat
Redhat build Keycloak Redhat red Hat Single Sign On |
|
Weaknesses | CWE-287 | |
CPEs | cpe:/a:redhat:build_keycloak: cpe:/a:redhat:red_hat_single_sign_on:7 |
|
Vendors & Products |
Redhat
Redhat build Keycloak Redhat red Hat Single Sign On |
|
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: redhat
Published: 2025-01-22T14:34:45.923Z
Updated: 2025-01-22T15:06:01.864Z
Reserved: 2025-01-20T11:35:33.280Z
Link: CVE-2025-0604
Vulnrichment
Updated: 2025-01-22T15:05:58.258Z
NVD
Status : Received
Published: 2025-01-22T15:15:14.827
Modified: 2025-01-22T15:15:14.827
Link: CVE-2025-0604
Redhat