Publish GHSA-q8hq-4h99-fj7x

advisory-database[bot] · advisory-database[bot] · commit e9ecffec8e42 · 2025-10-27T20:49:00.000Z
diff --git a/advisories/github-reviewed/2025/10/GHSA-q8hq-4h99-fj7x/GHSA-q8hq-4h99-fj7x.json b/advisories/github-reviewed/2025/10/GHSA-q8hq-4h99-fj7x/GHSA-q8hq-4h99-fj7x.json
@@ -0,0 +1,96 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-q8hq-4h99-fj7x",
+  "modified": "2025-10-27T20:46:54Z",
+  "published": "2025-10-27T20:46:54Z",
+  "aliases": [
+    "CVE-2025-11419"
+  ],
+  "summary": "Keycloak TLS Client-Initiated Renegotiation Denial of Service",
+  "details": "Keycloak is vulnerable to a Denial of Service (DoS) attack due to the default JDK setting that permits Client-Initiated Renegotiation in TLS 1.2. An unauthenticated remote attacker can repeatedly initiate TLS renegotiation requests to exhaust server CPU resources, making the service unavailable. Immediate mitigation is available by setting the `-Djdk.tls.rejectClientInitiatedRenegotiation=true` Java system property in the Keycloak startup configuration.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.keycloak:keycloak-quarkus-dist"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "26.0.16"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.keycloak:keycloak-quarkus-dist"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "26.1.0"
+            },
+            {
+              "fixed": "26.2.10"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.keycloak:keycloak-quarkus-dist"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "26.3.0"
+            },
+            {
+              "fixed": "26.4.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-q8hq-4h99-fj7x"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/keycloak/keycloak"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-400",
+      "CWE-770"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-10-27T20:46:54Z",
+    "nvd_published_at": null
+  }
+}
