← Volver a CVEs
CVE-2025-11429
MEDIUM5.4
Descripcion
A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the "Remember Me" realm setting on existing user sessions. Sessions created while "Remember Me" was active retain their extended session lifetime until they expire, overriding the administrator's recent security configuration change. This is a logic flaw in session management increases the potential window for successful session hijacking or unauthorized long-term access persistence. The flaw lies in the session expiration logic relying on the session-local "remember-me" flag without validating the current realm-level configuration.
Detalles CVE
Puntuacion CVSS v3.15.4
SeveridadMEDIUM
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosLOW
Interaccion usuarioNONE
Publicado10/23/2025
Ultima modificacion12/19/2025
Fuentenvd
Avistamientos honeypot0
Debilidades (CWE)
CWE-613
Referencias
https://access.redhat.com/errata/RHSA-2025:22088(secalert@redhat.com)
https://access.redhat.com/errata/RHSA-2025:22089(secalert@redhat.com)
https://access.redhat.com/security/cve/CVE-2025-11429(secalert@redhat.com)
https://bugzilla.redhat.com/show_bug.cgi?id=2402148(secalert@redhat.com)
https://github.com/keycloak/keycloak/commit/a34094100716b7c69ae38eaed6678ab4344d0a1d(secalert@redhat.com)
https://github.com/keycloak/keycloak/commit/bda0e2a67c8cf41d1b3d9010e6dfcddaf79bf59b(secalert@redhat.com)
https://github.com/keycloak/keycloak/issues/43328(secalert@redhat.com)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.