Описание
Keycloak has debug default bind address
A vulnerability exists in Keycloak's server distribution where enabling debug mode (--debug) insecurely defaults to binding the Java Debug Wire Protocol (JDWP) port to all network interfaces (0.0.0.0). This exposes the debug port to the local network, allowing an attacker on the same network segment to attach a remote debugger and achieve remote code execution within the Keycloak Java virtual machine.
Red Hat evaluates this as a Moderate impact vulnerability due to the requirement of running debug mode and untrusted network. Also, for Red Hat Single Sign-On, this must as well be bound to 0.0.0.0 address, which is not recommended in production scenarios.
Ссылки
- https://github.com/keycloak/keycloak/security/advisories/GHSA-j4vq-q93m-4683
- https://nvd.nist.gov/vuln/detail/CVE-2025-11538
- https://access.redhat.com/errata/RHSA-2025:21370
- https://access.redhat.com/errata/RHSA-2025:21371
- https://access.redhat.com/security/cve/CVE-2025-11538
- https://bugzilla.redhat.com/show_bug.cgi?id=2402622
Пакеты
org.keycloak:keycloak-quarkus-dist
< 26.4.4
26.4.4
Связанные уязвимости
A vulnerability exists in Keycloak's server distribution where enabling debug mode (--debug <port>) insecurely defaults to binding the Java Debug Wire Protocol (JDWP) port to all network interfaces (0.0.0.0). This exposes the debug port to the local network, allowing an attacker on the same network segment to attach a remote debugger and achieve remote code execution within the Keycloak Java virtual machine.
A vulnerability exists in Keycloak's server distribution where enablin ...