Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN270

_____________________________________________________________________

DATE                : 02/05/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running org.keycloak:keycloak-services 
                        (Maven) versions prior to 26.2.2.

=====================================================================
https://github.com/keycloak/keycloak/security/advisories/GHSA-hw58-3793-42gg
https://github.com/keycloak/keycloak/security/advisories/GHSA-5jfq-x6xp-7rw2
_____________________________________________________________________

Keycloak hostname verification
High
stianst published GHSA-hw58-3793-42gg Apr 30, 2025

Package
org.keycloak:keycloak-services (Maven)

Affected versions
< 26.2.2

Patched versions
26.2.2


Description

A flaw was found in Keycloak. By setting a verification policy to 'ALL',
the trust store certificate verification is skipped, which is
unintended.


Severity
High

CVE ID
CVE-2025-3501

Weaknesses
No CWEs

_____________________________________________________________________

Two factor authentication bypass
Moderate
stianst published GHSA-5jfq-x6xp-7rw2 Apr 30, 2025

Package
org.keycloak:keycloak-services (Maven)

Affected versions
< 26.2.2

Patched versions
26.2.2


Description

Description
A flaw was found in Keycloak. The org.keycloak.authorization package
may be vulnerable to circumventing required actions, allowing users
to circumvent requirements such as setting up two-factor
authentication.


Severity
Moderate

CVE ID
CVE-2025-3910

Weaknesses
No CWEs


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================