Package Instance

Insufficient Session Expiration
A flaw was found in Keycloak. This flaw allows a malicious user that is currently logged-in, to see the personal information of a previously logged-out user in the account manager section.

Improper Authentication
A flaw was found in the reset credential flow in all Keycloak versions before 8.0.0. This flaw allows an attacker to gain unauthorized access to the application.

Improper Authentication
The SAML broker consumer endpoint in Keycloak ignores expiration conditions on SAML assertions. An attacker can exploit this vulnerability to perform a replay attack.

Improper Certificate Validation
The X.509 authenticator supports the verification of client certificates through the CRL, where the CRL list can be obtained from the URL provided in the certificate itself (CDP) or through the separately configured path. The CRL are often available over the network through unsecured protocols (`http` or `ldap`) and hence the caller should verify the signature and possibly the certification path. Keycloak currently does not validate signatures on CRL, which can result in a possibility of various attacks like man-in-the-middle.

Information Exposure
It was found that while parsing the SAML messages the `StaxParserUtil` class of keycloak replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request `ID` field to be the chosen system property which could be obtained in the `InResponseTo` field in the response.

Improper Input Validation
It was found that Keycloak's account console did not perform adequate header checks in some requests. An attacker could use this flaw to trick an authenticated user into performing operations via request from an untrusted domain.

Information Exposure
A logged exception in the `HttpMethod` class may leak the password given as parameter. The highest threat from this vulnerability is to data confidentiality.

Improper Privilege Management
It was found that Keycloak would permit a user with only view-profile role to manage the resources in the new account console, allowing access and modification of data the user was not intended to have.

Information Exposure
Keycloak allows the end user token (access or id token JWT) to be used as the session cookie for browser sessions for OIDC. As a result an attacker with access to service provider backend could hijack user's browser session.

Incorrect Authorization
A flaw was found in the Keycloak REST API, where it would permit user access from a realm the user, was not configured. An authenticated attacker with knowledge of a user id could use this flaw to access unauthorized information or to carry out further attacks.

Information Exposure
Keycloak has an implementation of HMAC verification for JWS tokens that uses a method that runs in non-constant time, potentially leaving the application vulnerable to timing attacks.

Improper Authentication
It was found that Keycloak's Node.js adapter did not properly verify the web token received from the server in its backchannel logout . An attacker with local access could use this to construct a malicious web token setting an NBF parameter that could prevent user access indefinitely.

Loop with Unreachable Exit Condition (Infinite Loop)
When Keycloak receives a Logout request in the middle of the request, the `SAMLSloRequestParser.parse()` method ends in an infinite loop. An attacker could use this flaw to conduct denial of service attacks.

Improper Validation of Certificate Expiration
Keycloak does not handle invalid tokens correctly. An attacker could use this flaw to bypass authentication and gain access to restricted information, or to possibly conduct further attacks.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
A flaw was found in the Keycloak admin console, where the realm management interface permits a script to be set via the policy. This flaw allows an attacker with authenticated user and realm management permissions to configure a malicious script to trigger and execute arbitrary code with the permissions of the application user.