Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN805
_____________________________________________________________________

DATE                : 17/11/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Keycloak.

=====================================================================
https://github.com/advisories/GHSA-7m9g-pmxf-m9m8
_____________________________________________________________________


Keycloak allows Binding to an Unrestricted IP Address
Moderate severity GitHub Reviewed Published Nov 13, 2025 to the
GitHub Advisory Database • Updated Nov 14, 2025

Vulnerability details

Package
org.keycloak:keycloak-quarkus-server (Maven)

Affected versions
<= 26.4.4

Patched versions
None


Description

A vulnerability exists in Keycloak's server distribution where
enabling debug mode (--debug ) insecurely defaults to binding the
Java Debug Wire Protocol (JDWP) port to all network interfaces
(0.0.0.0). This exposes the debug port to the local network,
allowing an attacker on the same network segment to attach a
remote debugger and achieve remote code execution within the
Keycloak Java virtual machine.


References

    https://nvd.nist.gov/vuln/detail/CVE-2025-11538
    https://access.redhat.com/security/cve/CVE-2025-11538
    https://bugzilla.redhat.com/show_bug.cgi?id=2402622
    https://access.redhat.com/errata/RHSA-2025:21370
    https://access.redhat.com/errata/RHSA-2025:21371


Severity
Moderate
6.8/ 10

CVSS v3 base metrics
Attack vector
Adjacent
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS score

Weaknesses
Weakness CWE-1327

CVE ID
CVE-2025-11538

GHSA ID
GHSA-7m9g-pmxf-m9m8

Source code
keycloak/keycloak


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================