CVE-2025-12390

Опубликовано: 28 окт. 2025

Источник: nvd

CVSS3: 6

EPSS Низкий

Описание

A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesn’t clean up properly during logout when browser cookies are missing. As a result, one user may receive tokens that belong to another user.

Ссылки

https://access.redhat.com/errata/RHSA-2025:21370
https://access.redhat.com/errata/RHSA-2025:21371
https://access.redhat.com/errata/RHSA-2025:22088
https://access.redhat.com/errata/RHSA-2025:22089
https://access.redhat.com/security/cve/CVE-2025-12390
https://bugzilla.redhat.com/show_bug.cgi?id=2406793
https://github.com/keycloak/keycloak/issues/43853

EPSS

Процентиль: 3%

0.00015

Низкий

6 Medium

CVSS3

Дефекты

CWE-384

Связанные уязвимости

CVE-2025-12390

CVSS3: 6

debian

3 месяца назад

A flaw was found in Keycloak. In Keycloak where a user can accidentall ...

GHSA-rg35-5v25-mqvp

CVSS3: 6

github

3 месяца назад

Keycloak vulnerable to session takeovers due to reuse of session identifiers

EPSS

Процентиль: 3%

0.00015

Низкий

6 Medium

CVSS3

Дефекты

CWE-384