A vulnerability exists in Keycloak's server distribution where enabling debug mode (--debug <port>) insecurely defaults to binding the Java Debug Wire Protocol (JDWP) port to all network interfaces (0.0.0.0). This exposes the debug port to the local network, allowing an attacker on the same network segment to attach a remote debugger and achieve remote code execution within the Keycloak Java virtual machine.
> This exposes the debug port to the local network, allowing an attacker on the same network segment to attach a remote debugger What about how JDWP works prevents this from being exploited by someone not on the same network segment? Does JDWP have some sort of filtering in place, or is this something that keycloak offers? My initial read of JDWP being exposed would be that, if exposed to the public internet, anyone would be able to exploit it. Furthermore, shouldn't the availability metric also be "H" as well, since an RCE vulnerability would allow an attacker to take the system offline? I'm trying to understand how this is a `CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N` not a `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`. The CVSS score published by Red hat here doesn't make sense to me.