logo

Database

Authentication mechanism absence or evasion In org.keycloak:keycloak-ldap-federation

Description

Authentication Bypass Due to Missing LDAP Bind After Password Reset in Keycloak The issue arises because Keycloak does not perform an LDAP bind after a password reset, leading to potential authentication bypass for expired or disabled AD accounts. A fix should enforce LDAP validation after password updates to ensure consistency with AD authentication policies.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-06042. NVD-2025-06043. OSV-2025-06044. GHSA-2p82-5wwr-43cw5. GCVE-2025-06046. access.redhat.com7. ACCESS-CVE-2025-0604

References

1. https://github.com/keycloak/keycloak/security/advisories/GHSA-2p82-5wwr-43cw2. https://bugzilla.redhat.com/show_bug.cgi?id=2338993

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.