Maven package
org.keycloak/keycloak-ldap-federation
pkg:maven/org.keycloak/keycloak-ldap-federation
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-13467 | Med | 5.5 | >= 26.3.0, < 26.4.6 | 26.4.6 | Nov 25, 2025 | A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration. | |
| CVE-2025-0604 | Med | 5.4 | >= 26.1.0, < 26.1.3 | 26.1.3 | Jan 22, 2025 | A flaw was found in Keycloak. When an Active Directory user resets their password, the system updates it without performing an LDAP bind to validate the new credentials against AD. This vulnerability allows users whose AD accounts are expired or disabled to regain access in Keycl | |
| CVE-2022-2232 | Hig | 7.5 | < 23.0.1 | 23.0.1 | Nov 14, 2024 | A flaw was found in the Keycloak package. This flaw allows an attacker to utilize an LDAP injection to bypass the username lookup or potentially perform other malicious actions. | |
| CVE-2024-5967 | Low | 2.7 | >= 25.0.0, < 25.0.1 | 25.0.1 | Jun 18, 2024 | A vulnerability was found in Keycloak. The LDAP testing endpoint allows changing the Connection URL independently without re-entering the currently configured LDAP bind credentials. This flaw allows an attacker with admin access (permission manage-realm) to change the LDAP host |
- affected >= 26.3.0, < 26.4.6fixed 26.4.6
A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration.
- affected >= 26.1.0, < 26.1.3fixed 26.1.3
A flaw was found in Keycloak. When an Active Directory user resets their password, the system updates it without performing an LDAP bind to validate the new credentials against AD. This vulnerability allows users whose AD accounts are expired or disabled to regain access in Keycl
- affected < 23.0.1fixed 23.0.1
A flaw was found in the Keycloak package. This flaw allows an attacker to utilize an LDAP injection to bypass the username lookup or potentially perform other malicious actions.
- affected >= 25.0.0, < 25.0.1fixed 25.0.1
A vulnerability was found in Keycloak. The LDAP testing endpoint allows changing the Connection URL independently without re-entering the currently configured LDAP bind credentials. This flaw allows an attacker with admin access (permission manage-realm) to change the LDAP host