Steven Hawkins

**Name of the Vulnerable Software and Affected Versions** Keycloak (affected versions not specified) **Description** A security issue exists in Keycloak where enabling debug mode with the `--debug` flag insecurely binds the Java Debug Wire Protocol (JDWP) port to all network interfaces (0.0.0.0). This exposes the debug port to the local network, potentially allowing a malicious actor on the same network segment to attach a remote debugger and execute code remotely within the Keycloak Java virtual machine. The vulnerable parameter is `<port>`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Keycloak (affected versions not specified) **Description** A security issue allows admin users to access sensitive server environment variables and system properties through user-configurable URLs. When configuring backchannel logout URLs or admin URLs, admin users can include placeholders like `${env.VARNAME}` or `${PROPNAME}`. The server replaces these placeholders with the actual values of environment variables or system properties during URL processing. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Keycloak versions prior to 26.0.2 Description: A flaw was found in Keycloak, where sensitive runtime values, such as passwords, may be captured during the Keycloak build process and embedded as default values in bytecode, leading to unintended information disclosure. In Keycloak 26, sensitive data specified directly in environment variables during the build process is also stored as default values, making it accessible during runtime. Indirect usage of environment variables for SPI options and Quarkus properties is also vulnerable due to unconditional expansion by PropertyMapper logic, capturing sensitive data as default values. Recommendations: For Keycloak versions prior to 26.0.2, update to version 26.0.2 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive environment variables and Quarkus properties to minimize the risk of exploitation. Avoid using environment variables for SPI options and Quarkus properties until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Teiid Java Database Connectivity (JDBC) socket versions prior to 5.3.0 **Description** The issue allows remote attackers to obtain login credentials via a man-in-the-middle (MITM) attack because login messages are not encrypted by default, contrary to documentation and specification. **Recommendations** For versions prior to 5.3.0, update to version 5.3.0 or later to resolve the issue.