[go: up one dir, main page]

GHSA-8hxp-qmph-w5gq

Suggest an improvement
Source
https://github.com/advisories/GHSA-8hxp-qmph-w5gq
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-8hxp-qmph-w5gq/GHSA-8hxp-qmph-w5gq.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-8hxp-qmph-w5gq
Aliases
  • CVE-2025-9162
Published
2025-10-08T23:32:36Z
Modified
2025-10-08T23:57:14.333469Z
Severity
  • 4.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Keycloak Potential Variable Reference in Model Storage Services
Details

A flaw was found in org.keycloak/keycloak-model-storage-service. The KeycloakRealmImport custom resource substitutes placeholders within imported realm documents, potentially referencing environment variables. This substitution process allows for injection attacks when crafted realm documents are processed. An attacker can leverage this to inject malicious content during the realm import procedure. This can lead to unintended consequences within the Keycloak environment.

Database specific
{
    "github_reviewed_at": "2025-10-08T23:32:36Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-526"
    ],
    "nvd_published_at": null,
    "github_reviewed": true
}
References

Affected packages

Maven / org.keycloak:keycloak-model-storage-services

Package

Name
org.keycloak:keycloak-model-storage-services
View open source insights on deps.dev
Purl
pkg:maven/org.keycloak/keycloak-model-storage-services

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
26.2.9

Affected versions

24.*

24.0.0
24.0.1
24.0.2
24.0.3
24.0.4
24.0.5

25.*

25.0.0
25.0.1
25.0.2
25.0.4
25.0.5
25.0.6

26.*

26.0.0
26.0.1
26.0.2
26.0.3
26.0.4
26.0.5
26.0.6
26.0.7
26.0.8
26.1.0
26.1.1
26.1.2
26.1.3
26.1.4
26.1.5
26.2.0
26.2.1
26.2.2
26.2.3
26.2.4
26.2.5

Maven / org.keycloak:keycloak-model-storage-services

Package

Name
org.keycloak:keycloak-model-storage-services
View open source insights on deps.dev
Purl
pkg:maven/org.keycloak/keycloak-model-storage-services

Affected ranges

Type
ECOSYSTEM
Events
Introduced
26.3.0
Fixed
26.3.4

Affected versions

26.*

26.3.0
26.3.1
26.3.2
26.3.3