Bug 2338993 (CVE-2025-0604) - CVE-2025-0604 keycloak-ldap-federation: Authentication Bypass Due to Missing LDAP Bind After Password Reset in Keycloak
Summary: CVE-2025-0604 keycloak-ldap-federation: Authentication Bypass Due to Missing ...
Keywords:
Status: NEW
Alias: CVE-2025-0604
Deadline: 2025-01-22
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-01-20 11:35 UTC by OSIDB Bzimport
Modified: 2025-03-10 18:17 UTC (History)
34 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2025:2544 0 None None None 2025-03-10 18:17:44 UTC
Red Hat Product Errata RHSA-2025:2545 0 None None None 2025-03-10 18:03:01 UTC

Description OSIDB Bzimport 2025-01-20 11:35:36 UTC 
The issue arises because Keycloak does not perform an LDAP bind after a password reset, leading to potential authentication bypass for expired or disabled AD accounts. A fix should enforce LDAP validation after password updates to ensure consistency with AD authentication policies.
Comment 2 errata-xmlrpc 2025-03-10 18:02:58 UTC 
This issue has been addressed in the following products:

  Red Hat build of Keycloak 22

Via RHSA-2025:2545 https://access.redhat.com/errata/RHSA-2025:2545
Comment 3 errata-xmlrpc 2025-03-10 18:17:41 UTC 
This issue has been addressed in the following products:

  Red Hat build of Keycloak 26.0

Via RHSA-2025:2544 https://access.redhat.com/errata/RHSA-2025:2544
Note You need to log in before you can comment on or make changes to this bug.