Keycloak < 26.2.9 Multiple Vulnerabilities (GHSA-wc64-wmfm-46vw)(GHSA-xmcw-mv9p-7pq2)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(265769);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/01/21");

  script_cve_id("CVE-2025-10043", "CVE-2025-10044");
  script_xref(name:"IAVB", value:"2025-B-0156-S");

  script_name(english:"Keycloak < 26.2.9 Multiple Vulnerabilities (GHSA-wc64-wmfm-46vw)(GHSA-xmcw-mv9p-7pq2)");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The version of Keycloak installed on the remote host is prior to 26.2.9. It is, therefore, affected by multiple 
vulnerabilities as reference in the advisory GHSA-wc64-wmfm-46vw and GHSA-xmcw-mv9p-7pq2.

  - A path traversal validation flaw exists in Keycloak’s vault key handling on Windows. The previous fix for 
    CVE-2024-10492 did not account for the Windows file separator (\). As a result, a high-privilege 
    administrator could probe for the existence of files outside the expected realm context through crafted 
    vault secret lookups. This is a platform-specific variant/incomplete fix of CVE-2024-10492. 
    (CVE-2025-10043)

  - A flaw was found in Keycloak. Keycloak’s account console and other pages accept arbitrary text in the 
    error_description query parameter. This text is directly rendered in error pages without validation or 
    sanitization. While HTML encoding prevents XSS, an attacker can craft URLs with misleading messages (e.g. 
    fake support phone numbers or URLs), which are displayed within the trusted Keycloak UI. This creates a 
    phishing vector, potentially tricking users into contacting malicious actors. (CVE-2025-10044)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://github.com/advisories/GHSA-wc64-wmfm-46vw");
  script_set_attribute(attribute:"see_also", value:"https://github.com/advisories/GHSA-xmcw-mv9p-7pq2");
  script_set_attribute(attribute:"solution", value:
"See vendor advisory");
  script_set_attribute(attribute:"agent", value:"unix");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-10044");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/09/05");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/09/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/09/24");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:keycloak:keycloak");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2025-2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("keycloak_nix_installed.nbin");
  script_require_keys("installed_sw/Keycloak");

  exit(0);
}

include('vdf.inc');

# @tvdl-content
var vuln_data = {
  'metadata': {'spec_version': '1.0'},
  'requires': [
    {'scope': 'target', 'match': {'os': 'linux'}}
  ],
  'checks': [
    {
      'product': {'name': 'Keycloak', 'type': 'app'},
      'check_algorithm': 'default',
      'constraints' : [
        { 'fixed_version' : '26.2.9', 'fixed_display' : 'See vendor advisory' }
      ]
    }
  ]
};

var vdf_result = vdf::check_and_report(vuln_data:vuln_data, severity:SECURITY_WARNING);
vdf::handle_check_and_report_errors(vdf_result:vdf_result);