1041 matches found
PT-2025-52860
Name of the Vulnerable Software and Affected Versions continuwuity versions prior to 0.5.0 Description A remote, unauthenticated attacker can force the target server to cryptographically sign arbitrary membership events. This occurs because the server does not validate the origin of a signing...
GHSA-4HX9-48XH-5MXR Keycloak LDAP User Federation provider enables admin-triggered untrusted Java deserialization
A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration. Mitigation Disable LDAP referrals in all LDAP user providers in all realms...
com.github.vzakharchenko:chillispot-radius-plugin (>=1.4.10 <=1.4.11), com.github.vzakharchenko:cisco-radius-plugin (>=1.4.10 <=1.4.11) +41 more potentially affected by CVE-2025-13467 via org.keycloak:keycloak-ldap-federation (>=1.0-beta-4 <=26.2.1)
org.keycloak:keycloak-ldap-federation MAVEN version =1.0-beta-4, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =2.5.6-24.0, =0.1.0, =0.2, =6.19, =7.1 and more Source cves: CVE-2025-13467 Source advisory: OSV:GHSA-4HX9-48XH-5MXR...
EUVD-2025-199598
Keycloak LDAP User Federation provider enables admin-triggered untrusted Java deserialization...
Keycloak LDAP User Federation provider enables admin-triggered untrusted Java deserialization
A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration. Mitigation Disable LDAP referrals in all LDAP user providers in all realms...
Insecure Deserialization
org.keycloak, keycloak-ldap-federation is vulnerable to insecure deserialization. The vulnerability is due to improper handling of untrusted Java object deserialization in a malicious LDAP server configuration, which allows an authenticated realm administrator to trigger the execution of arbitrar...
@amazeelabs/bridge-waku (>=1.1.0 <=2.0.1), @amazeelabs/executors (>=3.0.0 <=3.1.14) +19 more potentially affected by CVE-2025-55182 via react-server-dom-webpack (>=19.0.0-rc.0 <=19.0.0)
react-server-dom-webpack NPM version =19.0.0-rc.0, =1.1.0, =3.0.0, =1.1.0, =1.1.0, =0.9.1-next.19, =0.9.1-next.19, =0.9.1-next.19, =0.0.4, =0.0.0-next-20250108080920, =0.0.0-next-20250108080920, =0.0.0-next-20250219082408, =0.0.2, =8.0.0-canary.841, =8.0.0, =9.0.0-canary.142 and more Source cves:...
GHSA-93VM-MQPW-8WH3 Duplicate Advisory: Keycloak LDAP User Federation provider enables admin-triggered untrusted Java deserialization
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-4hx9-48xh-5mxr. This link is maintained to preserve external references. Original Description A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm...
Duplicate Advisory: Keycloak LDAP User Federation provider enables admin-triggered untrusted Java deserialization
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-4hx9-48xh-5mxr. This link is maintained to preserve external references. Original Description A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm...
Deserialization of Untrusted Data
Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the URL references when following referrals. An attacker can manipulate application behavior by configuring a malicious LDAP server and triggering deserialization of untrusted Java objects as an...
Moderate: Red Hat Security Advisory: Red Hat build of Keycloak 26.2.11 Security Update
New Red Hat build of Keycloak 26.2.11 packages are available from the Customer Portal Red Hat build of Keycloak 26.2.11 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. Security...
CVE-2025-13467 Org.keycloak.storage.ldap: keycloak: deserialization of untrusted data in ldap user federation
A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration...
CVE-2025-13467
A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration. Mitigation Mitigation for this issue is either not available or the...
RLSA-2025:21462 Critical: lasso security update
The lasso packages provide the Lasso library that implements the Liberty Alliance Single Sign-On standards, including the SAML and SAML2 specifications. It allows handling of the whole life-cycle of SAML-based federations and provides bindings for multiple languages. Security Fixes: lasso: Type...
ALSA-2025:21462 Critical: lasso security update
The lasso packages provide the Lasso library that implements the Liberty Alliance Single Sign-On standards, including the SAML and SAML2 specifications. It allows handling of the whole life-cycle of SAML-based federations and provides bindings for multiple languages. Security Fixes: lasso: Type...
Critical: lasso security update
The lasso packages provide the Lasso library that implements the Liberty Alliance Single Sign-On standards, including the SAML and SAML2 specifications. It allows handling of the whole life-cycle of SAML-based federations and provides bindings for multiple languages. Security Fixes: lasso: Type...
RHEL 9 : lasso (RHSA-2025:21462)
The remote Redhat Enterprise Linux 9 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2025:21462 advisory. The lasso packages provide the Lasso library that implements the Liberty Alliance Single Sign-On standards, including the SAML and SAML2...
CVE-2025-64530
Apollo Federation is an architecture for declaratively composing APIs into a unified graph. A vulnerability in versions of Apollo Federation's composition logic prior to 2.9.5, 2.10.4, 2.11.5, and 2.12.1 allowed some queries to Apollo Router to improperly bypass access controls on types/fields...
GHSA-M8JR-FXQX-8XX6 Apollo Federation has Improper Enforcement of Access Control on Transitive Fields
Summary A vulnerability in Apollo Federation's composition logic did not enforce that fields depending on protected data through @requires and/or @fromContext directives have the same access control requirements as the fields they reference. This allowed queries to access protected fields...
EUVD-2025-197661
Apollo Federation has Improper Enforcement of Access Control on Transitive Fields...