Bug 2402622 (CVE-2025-11538)

Summary: CVE-2025-11538 keycloak-server: Debug default bind address
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aschwart, boliveir, Jonathan.Leitschuh, mposolda, pjindal, rmartinc, security-response-team, ssilvert, sthorger, vmuzikar
Target Milestone: ---Keywords: Security
Target Release: ---Flags: Jonathan.Leitschuh: needinfo? (security-response-team)
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A vulnerability exists in Keycloak's server distribution where enabling debug mode (--debug <port>) insecurely defaults to binding the Java Debug Wire Protocol (JDWP) port to all network interfaces (0.0.0.0). This exposes the debug port to the local network, allowing an attacker on the same network segment to attach a remote debugger and achieve remote code execution within the Keycloak Java virtual machine.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2025-11-09   

Description OSIDB Bzimport 2025-10-09 02:00:18 UTC 
A vulnerability exists in Keycloak's server distribution where enabling debug mode (--debug <port>) insecurely defaults to binding the Java Debug Wire Protocol (JDWP) port to all network interfaces (0.0.0.0). This exposes the debug port to the local network, allowing an attacker on the same network segment to attach a remote debugger and achieve remote code execution within the Keycloak Java virtual machine.
Comment 1 Jonathan Leitschuh 2025-11-17 20:12:38 UTC 
> This exposes the debug port to the local network, allowing an attacker on the same network segment to attach a remote debugger

What about how JDWP works prevents this from being exploited by someone not on the same network segment? Does JDWP have some sort of filtering in place, or is this something that keycloak offers?

My initial read of JDWP being exposed would be that, if exposed to the public internet, anyone would be able to exploit it.

Furthermore, shouldn't the availability metric also be "H" as well, since an RCE vulnerability would allow an attacker to take the system offline?

I'm trying to understand how this is a `CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N` not a `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`.

The CVSS score published by Red hat here doesn't make sense to me.