2358834 – (CVE-2025-3501) CVE-2025-3501 org.keycloak.protocol.services: Keycloak hostname verification

Bug 2358834 (CVE-2025-3501) - CVE-2025-3501 org.keycloak.protocol.services: Keycloak hostname verification

Summary: CVE-2025-3501 org.keycloak.protocol.services: Keycloak hostname verification

Keywords:
Status:	NEW
Alias:	CVE-2025-3501
Deadline:	2025-05-01
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-04-10 12:30 UTC by OSIDB Bzimport
Modified:	2025-04-29 23:03 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2025:4335	0	None	None	None	2025-04-29 23:03:23 UTC
Red Hat Product Errata	RHSA-2025:4336	0	None	None	None	2025-04-29 22:53:30 UTC

Description OSIDB Bzimport 2025-04-10 12:30:38 UTC

Hostname verification issue that causes the trust store to trust all certificates. By setting the verification policy to 'ALL' not only the hostname check is skipped, but also the trust store certificate verification, which is an unintended side effect.

Comment 1 errata-xmlrpc 2025-04-29 22:53:28 UTC

This issue has been addressed in the following products:

  Red Hat build of Keycloak 22

Via RHSA-2025:4336 https://access.redhat.com/errata/RHSA-2025:4336

Comment 2 errata-xmlrpc 2025-04-29 23:03:21 UTC

This issue has been addressed in the following products:

  Red Hat build of Keycloak 26.0

Via RHSA-2025:4335 https://access.redhat.com/errata/RHSA-2025:4335

Note You need to log in before you can comment on or make changes to this bug.