| 0 |
|
| 1 |
| url |
VCID-1fwh-a287-5qgt |
| vulnerability_id |
VCID-1fwh-a287-5qgt |
| summary |
Keycloak REST Services has a WebAuthn Attestation Statement Verification Bypass
A flaw was found in Keycloak’s WebAuthn registration component. This vulnerability allows an attacker to bypass the configured attestation policy and register untrusted or forged authenticators via submission of an attestation object with fmt: "none", even when the realm is configured to require direct attestation. This can lead to weakened authentication integrity and unauthorized authenticator registration. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@26.4.4 |
| purl |
pkg:maven/org.keycloak/keycloak-services@26.4.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 2 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 3 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 4 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 5 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 6 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 7 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 8 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 9 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 10 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 11 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 12 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 13 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 14 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 15 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 16 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 17 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 18 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 19 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 20 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@26.4.4 |
|
|
| aliases |
CVE-2025-12150, GHSA-7g5x-9c4v-4w5r
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-1fwh-a287-5qgt |
|
| 2 |
| url |
VCID-1u7p-4qg4-yqbv |
| vulnerability_id |
VCID-1u7p-4qg4-yqbv |
| summary |
Duplicate Advisory: Keycloak phishing attack via email verification step in first login flow
### Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-xhpr-465j-7p9q. This link is maintained to preserve external references.
### Original Description
A flaw was found in Keycloak. When an authenticated attacker attempts to merge accounts with another existing account during an identity provider (IdP) login, the attacker will subsequently be prompted to "review profile" information. This vulnerability allows the attacker to modify their email address to match that of a victim's account, triggering a verification email sent to the victim's email address. The attacker's email address is not present in the verification email content, making it a potential phishing opportunity. If the victim clicks the verification link, the attacker can gain access to the victim's account. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@26.3.0 |
| purl |
pkg:maven/org.keycloak/keycloak-services@26.3.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 3 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 4 |
| vulnerability |
VCID-bw6h-4h9x-rbab |
|
| 5 |
| vulnerability |
VCID-c58s-s3rb-27fw |
|
| 6 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 7 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 8 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 9 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 10 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 11 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 12 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 13 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 14 |
| vulnerability |
VCID-pgjk-vhx6-yqbt |
|
| 15 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 16 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 17 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 18 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 19 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 20 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 21 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 22 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 23 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 24 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 25 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 26 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 27 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@26.3.0 |
|
|
| aliases |
GHSA-gj52-35xm-gxjh
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-1u7p-4qg4-yqbv |
|
| 3 |
| url |
VCID-2kyy-pzzx-n7gr |
| vulnerability_id |
VCID-2kyy-pzzx-n7gr |
| summary |
Keycloak vulnerable to impersonation via logout token exchange
Keycloak was found to not properly enforce token types when validating signatures locally. An authenticated attacker could use this flaw to exchange a logout token for an access token and possibly gain access to data outside of enforced permissions. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-services@24.0.3 |
| purl |
pkg:maven/org.keycloak/keycloak-services@24.0.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-1u7p-4qg4-yqbv |
|
| 3 |
| vulnerability |
VCID-2xg4-ad4r-4kce |
|
| 4 |
| vulnerability |
VCID-36v6-qmgy-j3cv |
|
| 5 |
| vulnerability |
VCID-3adr-h63v-c3eg |
|
| 6 |
| vulnerability |
VCID-4hs9-48uu-8qbf |
|
| 7 |
| vulnerability |
VCID-66zv-ra8w-s3b4 |
|
| 8 |
| vulnerability |
VCID-6dya-2u73-vbee |
|
| 9 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 10 |
| vulnerability |
VCID-8ekh-fbbj-5yfb |
|
| 11 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 12 |
| vulnerability |
VCID-bub5-f9wf-57d4 |
|
| 13 |
| vulnerability |
VCID-cs4b-u9hn-9ugy |
|
| 14 |
| vulnerability |
VCID-dckx-y9zp-d7fy |
|
| 15 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 16 |
| vulnerability |
VCID-dwgd-79t9-d7a1 |
|
| 17 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 18 |
| vulnerability |
VCID-fkdm-gq5h-rbg7 |
|
| 19 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 20 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 21 |
| vulnerability |
VCID-hzvd-ugxf-9fcd |
|
| 22 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 23 |
| vulnerability |
VCID-jhzk-d1en-gkhj |
|
| 24 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 25 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 26 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 27 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 28 |
| vulnerability |
VCID-pr4d-pmh8-yfeh |
|
| 29 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 30 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 31 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 32 |
| vulnerability |
VCID-tv3h-kxj7-u7ct |
|
| 33 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 34 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 35 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 36 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 37 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 38 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 39 |
| vulnerability |
VCID-w6nc-88yg-dkem |
|
| 40 |
| vulnerability |
VCID-wcb5-wnjf-5uhm |
|
| 41 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 42 |
| vulnerability |
VCID-xk8n-4az9-zfh3 |
|
| 43 |
| vulnerability |
VCID-xmxb-sg5r-ufbt |
|
| 44 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 45 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
| 46 |
| vulnerability |
VCID-zdyb-dh4t-5kam |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@24.0.3 |
|
|
| aliases |
CVE-2023-0657, GHSA-7fpj-9hr8-28vh
|
| risk_score |
1.6 |
| exploitability |
0.5 |
| weighted_severity |
3.1 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2kyy-pzzx-n7gr |
|
| 4 |
| url |
VCID-2xg4-ad4r-4kce |
| vulnerability_id |
VCID-2xg4-ad4r-4kce |
| summary |
Keycloak vulnerable to session takeovers due to reuse of session identifiers
A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesn’t clean up properly during logout when browser cookies are missing. As a result, one user may receive tokens that belong to another user. |
| references |
| 0 |
| reference_url |
https://access.redhat.com/errata/RHSA-2025:21370 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
6.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-28T13:45:05Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2025:21370 |
|
| 1 |
| reference_url |
https://access.redhat.com/errata/RHSA-2025:21371 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
6.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-28T13:45:05Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2025:21371 |
|
| 2 |
| reference_url |
https://access.redhat.com/errata/RHSA-2025:22088 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
6.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-28T13:45:05Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2025:22088 |
|
| 3 |
| reference_url |
https://access.redhat.com/errata/RHSA-2025:22089 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
6.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-28T13:45:05Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2025:22089 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://bugzilla.redhat.com/show_bug.cgi?id=2406793 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
6.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-28T13:45:05Z/ |
|
|
| url |
https://bugzilla.redhat.com/show_bug.cgi?id=2406793 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
| reference_url |
https://github.com/keycloak/keycloak/issues/43853 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
6.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-28T13:45:05Z/ |
|
|
| url |
https://github.com/keycloak/keycloak/issues/43853 |
|
| 15 |
|
| 16 |
|
| 17 |
| reference_url |
https://access.redhat.com/security/cve/CVE-2025-12390 |
| reference_id |
CVE-2025-12390 |
| reference_type |
|
| scores |
| 0 |
| value |
6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
6.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-28T13:45:05Z/ |
|
|
| url |
https://access.redhat.com/security/cve/CVE-2025-12390 |
|
| 18 |
|
| 19 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@26.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-services@26.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-1u7p-4qg4-yqbv |
|
| 3 |
| vulnerability |
VCID-3adr-h63v-c3eg |
|
| 4 |
| vulnerability |
VCID-6dya-2u73-vbee |
|
| 5 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 6 |
| vulnerability |
VCID-8ekh-fbbj-5yfb |
|
| 7 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 8 |
| vulnerability |
VCID-dckx-y9zp-d7fy |
|
| 9 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 10 |
| vulnerability |
VCID-dwgd-79t9-d7a1 |
|
| 11 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 12 |
| vulnerability |
VCID-fkdm-gq5h-rbg7 |
|
| 13 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 14 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 15 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 16 |
| vulnerability |
VCID-jhzk-d1en-gkhj |
|
| 17 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 18 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 19 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 20 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 21 |
| vulnerability |
VCID-pr4d-pmh8-yfeh |
|
| 22 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 23 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 24 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 25 |
| vulnerability |
VCID-tv3h-kxj7-u7ct |
|
| 26 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 27 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 28 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 29 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 30 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 31 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 32 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 33 |
| vulnerability |
VCID-xk8n-4az9-zfh3 |
|
| 34 |
| vulnerability |
VCID-xmxb-sg5r-ufbt |
|
| 35 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 36 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
| 37 |
| vulnerability |
VCID-zdyb-dh4t-5kam |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@26.0.0 |
|
|
| aliases |
CVE-2025-12390, GHSA-rg35-5v25-mqvp
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2xg4-ad4r-4kce |
|
| 5 |
| url |
VCID-2xvq-t8jp-zfbj |
| vulnerability_id |
VCID-2xvq-t8jp-zfbj |
| summary |
Keycloak Cross-site Scripting (XSS) via assertion consumer service URL in SAML POST-binding flow
Keycloak allows arbitrary URLs as SAML Assertion Consumer Service POST Binding URL (ACS), including JavaScript URIs (javascript:).
Allowing JavaScript URIs in combination with HTML forms leads to JavaScript evaluation in the context of the embedding origin on form submission. |
| references |
| 0 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:1353 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L |
|
| 1 |
| value |
6.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-04-25T19:15:14Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:1353 |
|
| 1 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:1867 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L |
|
| 1 |
| value |
6.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-04-25T19:15:14Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:1867 |
|
| 2 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:1868 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L |
|
| 1 |
| value |
6.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-04-25T19:15:14Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:1868 |
|
| 3 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:2945 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L |
|
| 1 |
| value |
6.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-04-25T19:15:14Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:2945 |
|
| 4 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:4057 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L |
|
| 1 |
| value |
6.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-04-25T19:15:14Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:4057 |
|
| 5 |
|
| 6 |
| reference_url |
https://access.redhat.com/security/cve/CVE-2023-6717 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L |
|
| 1 |
| value |
6.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-04-25T19:15:14Z/ |
|
|
| url |
https://access.redhat.com/security/cve/CVE-2023-6717 |
|
| 7 |
|
| 8 |
| reference_url |
https://bugzilla.redhat.com/show_bug.cgi?id=2253952 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L |
|
| 1 |
| value |
6.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-04-25T19:15:14Z/ |
|
|
| url |
https://bugzilla.redhat.com/show_bug.cgi?id=2253952 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-services@24.0.3 |
| purl |
pkg:maven/org.keycloak/keycloak-services@24.0.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-1u7p-4qg4-yqbv |
|
| 3 |
| vulnerability |
VCID-2xg4-ad4r-4kce |
|
| 4 |
| vulnerability |
VCID-36v6-qmgy-j3cv |
|
| 5 |
| vulnerability |
VCID-3adr-h63v-c3eg |
|
| 6 |
| vulnerability |
VCID-4hs9-48uu-8qbf |
|
| 7 |
| vulnerability |
VCID-66zv-ra8w-s3b4 |
|
| 8 |
| vulnerability |
VCID-6dya-2u73-vbee |
|
| 9 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 10 |
| vulnerability |
VCID-8ekh-fbbj-5yfb |
|
| 11 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 12 |
| vulnerability |
VCID-bub5-f9wf-57d4 |
|
| 13 |
| vulnerability |
VCID-cs4b-u9hn-9ugy |
|
| 14 |
| vulnerability |
VCID-dckx-y9zp-d7fy |
|
| 15 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 16 |
| vulnerability |
VCID-dwgd-79t9-d7a1 |
|
| 17 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 18 |
| vulnerability |
VCID-fkdm-gq5h-rbg7 |
|
| 19 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 20 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 21 |
| vulnerability |
VCID-hzvd-ugxf-9fcd |
|
| 22 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 23 |
| vulnerability |
VCID-jhzk-d1en-gkhj |
|
| 24 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 25 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 26 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 27 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 28 |
| vulnerability |
VCID-pr4d-pmh8-yfeh |
|
| 29 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 30 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 31 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 32 |
| vulnerability |
VCID-tv3h-kxj7-u7ct |
|
| 33 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 34 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 35 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 36 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 37 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 38 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 39 |
| vulnerability |
VCID-w6nc-88yg-dkem |
|
| 40 |
| vulnerability |
VCID-wcb5-wnjf-5uhm |
|
| 41 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 42 |
| vulnerability |
VCID-xk8n-4az9-zfh3 |
|
| 43 |
| vulnerability |
VCID-xmxb-sg5r-ufbt |
|
| 44 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 45 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
| 46 |
| vulnerability |
VCID-zdyb-dh4t-5kam |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@24.0.3 |
|
|
| aliases |
CVE-2023-6717, GHSA-8rmm-gm28-pj8q
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2xvq-t8jp-zfbj |
|
| 6 |
| url |
VCID-36v6-qmgy-j3cv |
| vulnerability_id |
VCID-36v6-qmgy-j3cv |
| summary |
Duplicate Advisory: Keycloak Open Redirect vulnerability
# Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-w8gr-xwp4-r9f7. This link is maintained to preserve external references.
# Original Description
A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
| reference_url |
https://github.com/keycloak/keycloak |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
7.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:L/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/keycloak/keycloak |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@25.0.6 |
| purl |
pkg:maven/org.keycloak/keycloak-services@25.0.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-1u7p-4qg4-yqbv |
|
| 3 |
| vulnerability |
VCID-2xg4-ad4r-4kce |
|
| 4 |
| vulnerability |
VCID-3adr-h63v-c3eg |
|
| 5 |
| vulnerability |
VCID-6dya-2u73-vbee |
|
| 6 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 7 |
| vulnerability |
VCID-8ekh-fbbj-5yfb |
|
| 8 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 9 |
| vulnerability |
VCID-dckx-y9zp-d7fy |
|
| 10 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 11 |
| vulnerability |
VCID-dwgd-79t9-d7a1 |
|
| 12 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 13 |
| vulnerability |
VCID-fkdm-gq5h-rbg7 |
|
| 14 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 15 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 16 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 17 |
| vulnerability |
VCID-jhzk-d1en-gkhj |
|
| 18 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 19 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 20 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 21 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 22 |
| vulnerability |
VCID-pr4d-pmh8-yfeh |
|
| 23 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 24 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 25 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 26 |
| vulnerability |
VCID-tv3h-kxj7-u7ct |
|
| 27 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 28 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 29 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 30 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 31 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 32 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 33 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 34 |
| vulnerability |
VCID-xk8n-4az9-zfh3 |
|
| 35 |
| vulnerability |
VCID-xmxb-sg5r-ufbt |
|
| 36 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 37 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
| 38 |
| vulnerability |
VCID-zdyb-dh4t-5kam |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@25.0.6 |
|
|
| aliases |
GHSA-vvf8-2h68-9475
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-36v6-qmgy-j3cv |
|
| 7 |
| url |
VCID-3adr-h63v-c3eg |
| vulnerability_id |
VCID-3adr-h63v-c3eg |
| summary |
Keycloak does not invalidate offline sessions when the offline_access scope is removed
A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and assumes that offline sessions are no longer available, but they are. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@26.2.3 |
| purl |
pkg:maven/org.keycloak/keycloak-services@26.2.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-1u7p-4qg4-yqbv |
|
| 3 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 4 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 5 |
| vulnerability |
VCID-dckx-y9zp-d7fy |
|
| 6 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 7 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 8 |
| vulnerability |
VCID-fkdm-gq5h-rbg7 |
|
| 9 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 10 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 11 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 12 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 13 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 14 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 15 |
| vulnerability |
VCID-mzdb-4zsz-qqhn |
|
| 16 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 17 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 18 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 19 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 20 |
| vulnerability |
VCID-tv3h-kxj7-u7ct |
|
| 21 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 22 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 23 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 24 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 25 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 26 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 27 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 28 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 29 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@26.2.3 |
|
|
| aliases |
CVE-2025-12110, GHSA-895x-rfqp-jh5c
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3adr-h63v-c3eg |
|
| 8 |
| url |
VCID-4hs9-48uu-8qbf |
| vulnerability_id |
VCID-4hs9-48uu-8qbf |
| summary |
Duplicate Advisory: Keycloak exposes sensitive information in Pushed Authorization Requests (PAR)
## Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-69fp-7c8p-crjr. This link is maintained to preserve external references.
## Original Description
A flaw was found in Keycloak in OAuth 2.0 Pushed Authorization Requests (PAR). Client-provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization server's HTTP response to a `request_uri` authorization request, possibly leading to an information disclosure vulnerability. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@24.0.5 |
| purl |
pkg:maven/org.keycloak/keycloak-services@24.0.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-1u7p-4qg4-yqbv |
|
| 3 |
| vulnerability |
VCID-2xg4-ad4r-4kce |
|
| 4 |
| vulnerability |
VCID-36v6-qmgy-j3cv |
|
| 5 |
| vulnerability |
VCID-3adr-h63v-c3eg |
|
| 6 |
| vulnerability |
VCID-66zv-ra8w-s3b4 |
|
| 7 |
| vulnerability |
VCID-6dya-2u73-vbee |
|
| 8 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 9 |
| vulnerability |
VCID-8ekh-fbbj-5yfb |
|
| 10 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 11 |
| vulnerability |
VCID-cs4b-u9hn-9ugy |
|
| 12 |
| vulnerability |
VCID-dckx-y9zp-d7fy |
|
| 13 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 14 |
| vulnerability |
VCID-dwgd-79t9-d7a1 |
|
| 15 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 16 |
| vulnerability |
VCID-fkdm-gq5h-rbg7 |
|
| 17 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 18 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 19 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 20 |
| vulnerability |
VCID-jhzk-d1en-gkhj |
|
| 21 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 22 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 23 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 24 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 25 |
| vulnerability |
VCID-pr4d-pmh8-yfeh |
|
| 26 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 27 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 28 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 29 |
| vulnerability |
VCID-tv3h-kxj7-u7ct |
|
| 30 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 31 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 32 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 33 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 34 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 35 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 36 |
| vulnerability |
VCID-w6nc-88yg-dkem |
|
| 37 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 38 |
| vulnerability |
VCID-xk8n-4az9-zfh3 |
|
| 39 |
| vulnerability |
VCID-xmxb-sg5r-ufbt |
|
| 40 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 41 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
| 42 |
| vulnerability |
VCID-zdyb-dh4t-5kam |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@24.0.5 |
|
|
| aliases |
GHSA-4vrx-8phj-x3mg
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4hs9-48uu-8qbf |
|
| 9 |
| url |
VCID-66zv-ra8w-s3b4 |
| vulnerability_id |
VCID-66zv-ra8w-s3b4 |
| summary |
Keycloak Services has a potential bypass of brute force protection
If an attacker launches many login attempts in parallel then the attacker can have more guesses at a password than the brute force protection configuration permits. This is due to the brute force check occurring before the brute force protector has locked the user.
**Acknowledgements:**
Special thanks to Maurizio Agazzini for reporting this issue and helping us improve our project. |
| references |
| 0 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:6493 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-03T20:20:28Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:6493 |
|
| 1 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:6494 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-03T20:20:28Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:6494 |
|
| 2 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:6495 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-03T20:20:28Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:6495 |
|
| 3 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:6497 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-03T20:20:28Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:6497 |
|
| 4 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:6499 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-03T20:20:28Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:6499 |
|
| 5 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:6500 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-03T20:20:28Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:6500 |
|
| 6 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:6501 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-03T20:20:28Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:6501 |
|
| 7 |
|
| 8 |
|
| 9 |
| reference_url |
https://bugzilla.redhat.com/show_bug.cgi?id=2276761 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-03T20:20:28Z/ |
|
|
| url |
https://bugzilla.redhat.com/show_bug.cgi?id=2276761 |
|
| 10 |
| reference_url |
https://github.com/keycloak/keycloak |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/keycloak/keycloak |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
| reference_url |
https://access.redhat.com/security/cve/CVE-2024-4629 |
| reference_id |
CVE-2024-4629 |
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-03T20:20:28Z/ |
|
|
| url |
https://access.redhat.com/security/cve/CVE-2024-4629 |
|
| 26 |
|
| 27 |
|
| 28 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
|
| 2 |
| url |
pkg:maven/org.keycloak/keycloak-services@25.0.4 |
| purl |
pkg:maven/org.keycloak/keycloak-services@25.0.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-1u7p-4qg4-yqbv |
|
| 3 |
| vulnerability |
VCID-2xg4-ad4r-4kce |
|
| 4 |
| vulnerability |
VCID-36v6-qmgy-j3cv |
|
| 5 |
| vulnerability |
VCID-3adr-h63v-c3eg |
|
| 6 |
| vulnerability |
VCID-6dya-2u73-vbee |
|
| 7 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 8 |
| vulnerability |
VCID-8ekh-fbbj-5yfb |
|
| 9 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 10 |
| vulnerability |
VCID-cs4b-u9hn-9ugy |
|
| 11 |
| vulnerability |
VCID-dckx-y9zp-d7fy |
|
| 12 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 13 |
| vulnerability |
VCID-dwgd-79t9-d7a1 |
|
| 14 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 15 |
| vulnerability |
VCID-fkdm-gq5h-rbg7 |
|
| 16 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 17 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 18 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 19 |
| vulnerability |
VCID-jhzk-d1en-gkhj |
|
| 20 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 21 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 22 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 23 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 24 |
| vulnerability |
VCID-pr4d-pmh8-yfeh |
|
| 25 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 26 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 27 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 28 |
| vulnerability |
VCID-tv3h-kxj7-u7ct |
|
| 29 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 30 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 31 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 32 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 33 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 34 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 35 |
| vulnerability |
VCID-w6nc-88yg-dkem |
|
| 36 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 37 |
| vulnerability |
VCID-xk8n-4az9-zfh3 |
|
| 38 |
| vulnerability |
VCID-xmxb-sg5r-ufbt |
|
| 39 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 40 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
| 41 |
| vulnerability |
VCID-zdyb-dh4t-5kam |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@25.0.4 |
|
|
| aliases |
CVE-2024-4629, GHSA-gc7q-jgjv-vjr2
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-66zv-ra8w-s3b4 |
|
| 10 |
| url |
VCID-6dya-2u73-vbee |
| vulnerability_id |
VCID-6dya-2u73-vbee |
| summary |
Keycloak vulnerable to two factor authentication bypass
A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumventing required actions, allowing users to circumvent requirements such as setting up two-factor authentication. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@26.2.2 |
| purl |
pkg:maven/org.keycloak/keycloak-services@26.2.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-1u7p-4qg4-yqbv |
|
| 3 |
| vulnerability |
VCID-3adr-h63v-c3eg |
|
| 4 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 5 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 6 |
| vulnerability |
VCID-dckx-y9zp-d7fy |
|
| 7 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 8 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 9 |
| vulnerability |
VCID-fkdm-gq5h-rbg7 |
|
| 10 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 11 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 12 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 13 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 14 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 15 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 16 |
| vulnerability |
VCID-mzdb-4zsz-qqhn |
|
| 17 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 18 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 19 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 20 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 21 |
| vulnerability |
VCID-tv3h-kxj7-u7ct |
|
| 22 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 23 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 24 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 25 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 26 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 27 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 28 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 29 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 30 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@26.2.2 |
|
|
| aliases |
CVE-2025-3910, GHSA-5jfq-x6xp-7rw2
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6dya-2u73-vbee |
|
| 11 |
| url |
VCID-6kbf-zmzu-xbgt |
| vulnerability_id |
VCID-6kbf-zmzu-xbgt |
| summary |
Keycloak's improper input validation allows using email as username
Keycloak allows the use of email as a username and doesn't check that an account with this email already exists. That could lead to the unability to reset/login with email for the user. This is caused by usernames being evaluated before emails. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@24.0.1 |
| purl |
pkg:maven/org.keycloak/keycloak-services@24.0.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-1u7p-4qg4-yqbv |
|
| 3 |
| vulnerability |
VCID-2kyy-pzzx-n7gr |
|
| 4 |
| vulnerability |
VCID-2xg4-ad4r-4kce |
|
| 5 |
| vulnerability |
VCID-2xvq-t8jp-zfbj |
|
| 6 |
| vulnerability |
VCID-36v6-qmgy-j3cv |
|
| 7 |
| vulnerability |
VCID-3adr-h63v-c3eg |
|
| 8 |
| vulnerability |
VCID-4hs9-48uu-8qbf |
|
| 9 |
| vulnerability |
VCID-66zv-ra8w-s3b4 |
|
| 10 |
| vulnerability |
VCID-6dya-2u73-vbee |
|
| 11 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 12 |
| vulnerability |
VCID-8ekh-fbbj-5yfb |
|
| 13 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 14 |
| vulnerability |
VCID-bub5-f9wf-57d4 |
|
| 15 |
| vulnerability |
VCID-cs4b-u9hn-9ugy |
|
| 16 |
| vulnerability |
VCID-dckx-y9zp-d7fy |
|
| 17 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 18 |
| vulnerability |
VCID-dt1x-6344-fkda |
|
| 19 |
| vulnerability |
VCID-dwgd-79t9-d7a1 |
|
| 20 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 21 |
| vulnerability |
VCID-fkdm-gq5h-rbg7 |
|
| 22 |
| vulnerability |
VCID-ghak-3963-juhk |
|
| 23 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 24 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 25 |
| vulnerability |
VCID-hzvd-ugxf-9fcd |
|
| 26 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 27 |
| vulnerability |
VCID-jhzk-d1en-gkhj |
|
| 28 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 29 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 30 |
| vulnerability |
VCID-kbc1-6psh-17d8 |
|
| 31 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 32 |
| vulnerability |
VCID-mt5g-24m9-tfbg |
|
| 33 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 34 |
| vulnerability |
VCID-pr4d-pmh8-yfeh |
|
| 35 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 36 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 37 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 38 |
| vulnerability |
VCID-tv3h-kxj7-u7ct |
|
| 39 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 40 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 41 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 42 |
| vulnerability |
VCID-uya7-2sk1-6uat |
|
| 43 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 44 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 45 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 46 |
| vulnerability |
VCID-w6nc-88yg-dkem |
|
| 47 |
| vulnerability |
VCID-wcb5-wnjf-5uhm |
|
| 48 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 49 |
| vulnerability |
VCID-xk8n-4az9-zfh3 |
|
| 50 |
| vulnerability |
VCID-xmxb-sg5r-ufbt |
|
| 51 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 52 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
| 53 |
| vulnerability |
VCID-y5qk-qy59-23hn |
|
| 54 |
| vulnerability |
VCID-zdyb-dh4t-5kam |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@24.0.1 |
|
|
| aliases |
CVE-2021-3754, GHSA-4vc8-pg5c-vg4x
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6kbf-zmzu-xbgt |
|
| 12 |
|
| 13 |
| url |
VCID-8ekh-fbbj-5yfb |
| vulnerability_id |
VCID-8ekh-fbbj-5yfb |
| summary |
Duplicate Advisory: org.keycloak:keycloak-services has Inefficient Regular Expression Complexity
## Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-wq8x-cg39-8mrr. This link is maintained to preserve external references.
## Original Description
A vulnerability was found in the Keycloak-services package. If untrusted data is passed to the SearchQueryUtils method, it could lead to a denial of service (DoS) scenario by exhausting system resources due to a Regex complexity. |
| references |
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-services@26.0.6 |
| purl |
pkg:maven/org.keycloak/keycloak-services@26.0.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-1u7p-4qg4-yqbv |
|
| 3 |
| vulnerability |
VCID-3adr-h63v-c3eg |
|
| 4 |
| vulnerability |
VCID-6dya-2u73-vbee |
|
| 5 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 6 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 7 |
| vulnerability |
VCID-dckx-y9zp-d7fy |
|
| 8 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 9 |
| vulnerability |
VCID-dwgd-79t9-d7a1 |
|
| 10 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 11 |
| vulnerability |
VCID-fkdm-gq5h-rbg7 |
|
| 12 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 13 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 14 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 15 |
| vulnerability |
VCID-jhzk-d1en-gkhj |
|
| 16 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 17 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 18 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 19 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 20 |
| vulnerability |
VCID-pr4d-pmh8-yfeh |
|
| 21 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 22 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 23 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 24 |
| vulnerability |
VCID-tv3h-kxj7-u7ct |
|
| 25 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 26 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 27 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 28 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 29 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 30 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 31 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 32 |
| vulnerability |
VCID-xk8n-4az9-zfh3 |
|
| 33 |
| vulnerability |
VCID-xmxb-sg5r-ufbt |
|
| 34 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 35 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@26.0.6 |
|
|
| aliases |
GHSA-j3x3-r585-4qhg
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8ekh-fbbj-5yfb |
|
| 14 |
| url |
VCID-9jrc-ayvh-e7dk |
| vulnerability_id |
VCID-9jrc-ayvh-e7dk |
| summary |
Keycloak is vulnerable to IDN homograph attack
A flaw was found in keycloak, where IDN homograph attacks are possible. This flaw allows a malicious user to register a name that already exists and then tricking an admin to grant extra privileges. The highest threat from this vulnerability is to integrity. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@18.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-services@18.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-1u7p-4qg4-yqbv |
|
| 3 |
| vulnerability |
VCID-2kyy-pzzx-n7gr |
|
| 4 |
| vulnerability |
VCID-2xg4-ad4r-4kce |
|
| 5 |
| vulnerability |
VCID-2xvq-t8jp-zfbj |
|
| 6 |
| vulnerability |
VCID-36v6-qmgy-j3cv |
|
| 7 |
| vulnerability |
VCID-3adr-h63v-c3eg |
|
| 8 |
| vulnerability |
VCID-4hs9-48uu-8qbf |
|
| 9 |
| vulnerability |
VCID-66zv-ra8w-s3b4 |
|
| 10 |
| vulnerability |
VCID-6dya-2u73-vbee |
|
| 11 |
| vulnerability |
VCID-6kbf-zmzu-xbgt |
|
| 12 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 13 |
| vulnerability |
VCID-8ekh-fbbj-5yfb |
|
| 14 |
| vulnerability |
VCID-asmd-x6cy-dqdt |
|
| 15 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 16 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 17 |
| vulnerability |
VCID-bub5-f9wf-57d4 |
|
| 18 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 19 |
| vulnerability |
VCID-cs4b-u9hn-9ugy |
|
| 20 |
| vulnerability |
VCID-dckx-y9zp-d7fy |
|
| 21 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 22 |
| vulnerability |
VCID-dt1x-6344-fkda |
|
| 23 |
| vulnerability |
VCID-dwgd-79t9-d7a1 |
|
| 24 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 25 |
| vulnerability |
VCID-fkdm-gq5h-rbg7 |
|
| 26 |
| vulnerability |
VCID-ghak-3963-juhk |
|
| 27 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 28 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 29 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 30 |
| vulnerability |
VCID-hzvd-ugxf-9fcd |
|
| 31 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 32 |
| vulnerability |
VCID-jhzk-d1en-gkhj |
|
| 33 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 34 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 35 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 36 |
| vulnerability |
VCID-kbc1-6psh-17d8 |
|
| 37 |
| vulnerability |
VCID-kf26-bvty-a3g9 |
|
| 38 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 39 |
| vulnerability |
VCID-m24y-x4sk-2yd6 |
|
| 40 |
| vulnerability |
VCID-mt5g-24m9-tfbg |
|
| 41 |
| vulnerability |
VCID-nw1y-zwsy-auff |
|
| 42 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 43 |
| vulnerability |
VCID-pr4d-pmh8-yfeh |
|
| 44 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 45 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 46 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 47 |
| vulnerability |
VCID-tv3h-kxj7-u7ct |
|
| 48 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 49 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 50 |
| vulnerability |
VCID-ugpk-g4qu-x3b5 |
|
| 51 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 52 |
| vulnerability |
VCID-uya7-2sk1-6uat |
|
| 53 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 54 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 55 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 56 |
| vulnerability |
VCID-w6nc-88yg-dkem |
|
| 57 |
| vulnerability |
VCID-wcb5-wnjf-5uhm |
|
| 58 |
| vulnerability |
VCID-wxaq-rrqq-pyah |
|
| 59 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 60 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 61 |
| vulnerability |
VCID-xk8n-4az9-zfh3 |
|
| 62 |
| vulnerability |
VCID-xmxb-sg5r-ufbt |
|
| 63 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 64 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
| 65 |
| vulnerability |
VCID-y5qk-qy59-23hn |
|
| 66 |
| vulnerability |
VCID-zdyb-dh4t-5kam |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@18.0.0 |
|
|
| aliases |
GHSA-mwm4-5qwr-g9pf, GMS-2022-1099
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9jrc-ayvh-e7dk |
|
| 15 |
| url |
VCID-asmd-x6cy-dqdt |
| vulnerability_id |
VCID-asmd-x6cy-dqdt |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the SAML or OIDC providers. The vulnerability can allow an attacker to execute malicious scripts by setting the AssertionConsumerServiceURL value or the redirect_uri. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://bugzilla.redhat.com/show_bug.cgi?id=2151618 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
10 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
|
| 1 |
| value |
10.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
|
| 2 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-11-12T19:43:33Z/ |
|
|
| url |
https://bugzilla.redhat.com/show_bug.cgi?id=2151618 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@21.1.2 |
| purl |
pkg:maven/org.keycloak/keycloak-services@21.1.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-1u7p-4qg4-yqbv |
|
| 3 |
| vulnerability |
VCID-2kyy-pzzx-n7gr |
|
| 4 |
| vulnerability |
VCID-2xg4-ad4r-4kce |
|
| 5 |
| vulnerability |
VCID-2xvq-t8jp-zfbj |
|
| 6 |
| vulnerability |
VCID-36v6-qmgy-j3cv |
|
| 7 |
| vulnerability |
VCID-3adr-h63v-c3eg |
|
| 8 |
| vulnerability |
VCID-4hs9-48uu-8qbf |
|
| 9 |
| vulnerability |
VCID-66zv-ra8w-s3b4 |
|
| 10 |
| vulnerability |
VCID-6dya-2u73-vbee |
|
| 11 |
| vulnerability |
VCID-6kbf-zmzu-xbgt |
|
| 12 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 13 |
| vulnerability |
VCID-8ekh-fbbj-5yfb |
|
| 14 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 15 |
| vulnerability |
VCID-bub5-f9wf-57d4 |
|
| 16 |
| vulnerability |
VCID-cs4b-u9hn-9ugy |
|
| 17 |
| vulnerability |
VCID-dckx-y9zp-d7fy |
|
| 18 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 19 |
| vulnerability |
VCID-dt1x-6344-fkda |
|
| 20 |
| vulnerability |
VCID-dwgd-79t9-d7a1 |
|
| 21 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 22 |
| vulnerability |
VCID-fkdm-gq5h-rbg7 |
|
| 23 |
| vulnerability |
VCID-ghak-3963-juhk |
|
| 24 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 25 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 26 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 27 |
| vulnerability |
VCID-hzvd-ugxf-9fcd |
|
| 28 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 29 |
| vulnerability |
VCID-jhzk-d1en-gkhj |
|
| 30 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 31 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 32 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 33 |
| vulnerability |
VCID-kbc1-6psh-17d8 |
|
| 34 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 35 |
| vulnerability |
VCID-m24y-x4sk-2yd6 |
|
| 36 |
| vulnerability |
VCID-mt5g-24m9-tfbg |
|
| 37 |
| vulnerability |
VCID-nw1y-zwsy-auff |
|
| 38 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 39 |
| vulnerability |
VCID-pr4d-pmh8-yfeh |
|
| 40 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 41 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 42 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 43 |
| vulnerability |
VCID-tv3h-kxj7-u7ct |
|
| 44 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 45 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 46 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 47 |
| vulnerability |
VCID-uya7-2sk1-6uat |
|
| 48 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 49 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 50 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 51 |
| vulnerability |
VCID-w6nc-88yg-dkem |
|
| 52 |
| vulnerability |
VCID-wcb5-wnjf-5uhm |
|
| 53 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 54 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 55 |
| vulnerability |
VCID-xk8n-4az9-zfh3 |
|
| 56 |
| vulnerability |
VCID-xmxb-sg5r-ufbt |
|
| 57 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 58 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
| 59 |
| vulnerability |
VCID-y5qk-qy59-23hn |
|
| 60 |
| vulnerability |
VCID-zdyb-dh4t-5kam |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@21.1.2 |
|
|
| aliases |
CVE-2022-4361, GHSA-3p62-6fjh-3p5h
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-asmd-x6cy-dqdt |
|
| 16 |
| url |
VCID-azxv-y5rj-vkg9 |
| vulnerability_id |
VCID-azxv-y5rj-vkg9 |
| summary |
Insufficient Session Expiration
A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@20.0.2 |
| purl |
pkg:maven/org.keycloak/keycloak-services@20.0.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-1u7p-4qg4-yqbv |
|
| 3 |
| vulnerability |
VCID-2kyy-pzzx-n7gr |
|
| 4 |
| vulnerability |
VCID-2xg4-ad4r-4kce |
|
| 5 |
| vulnerability |
VCID-2xvq-t8jp-zfbj |
|
| 6 |
| vulnerability |
VCID-36v6-qmgy-j3cv |
|
| 7 |
| vulnerability |
VCID-3adr-h63v-c3eg |
|
| 8 |
| vulnerability |
VCID-48jh-8c96-3bc9 |
|
| 9 |
| vulnerability |
VCID-4hs9-48uu-8qbf |
|
| 10 |
| vulnerability |
VCID-66zv-ra8w-s3b4 |
|
| 11 |
| vulnerability |
VCID-6dya-2u73-vbee |
|
| 12 |
| vulnerability |
VCID-6kbf-zmzu-xbgt |
|
| 13 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 14 |
| vulnerability |
VCID-8ekh-fbbj-5yfb |
|
| 15 |
| vulnerability |
VCID-asmd-x6cy-dqdt |
|
| 16 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 17 |
| vulnerability |
VCID-bub5-f9wf-57d4 |
|
| 18 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 19 |
| vulnerability |
VCID-cs4b-u9hn-9ugy |
|
| 20 |
| vulnerability |
VCID-dckx-y9zp-d7fy |
|
| 21 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 22 |
| vulnerability |
VCID-dt1x-6344-fkda |
|
| 23 |
| vulnerability |
VCID-dwgd-79t9-d7a1 |
|
| 24 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 25 |
| vulnerability |
VCID-fkdm-gq5h-rbg7 |
|
| 26 |
| vulnerability |
VCID-ghak-3963-juhk |
|
| 27 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 28 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 29 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 30 |
| vulnerability |
VCID-hzvd-ugxf-9fcd |
|
| 31 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 32 |
| vulnerability |
VCID-jhzk-d1en-gkhj |
|
| 33 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 34 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 35 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 36 |
| vulnerability |
VCID-kbc1-6psh-17d8 |
|
| 37 |
| vulnerability |
VCID-kf26-bvty-a3g9 |
|
| 38 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 39 |
| vulnerability |
VCID-m24y-x4sk-2yd6 |
|
| 40 |
| vulnerability |
VCID-mt5g-24m9-tfbg |
|
| 41 |
| vulnerability |
VCID-nw1y-zwsy-auff |
|
| 42 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 43 |
| vulnerability |
VCID-pr4d-pmh8-yfeh |
|
| 44 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 45 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 46 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 47 |
| vulnerability |
VCID-tv3h-kxj7-u7ct |
|
| 48 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 49 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 50 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 51 |
| vulnerability |
VCID-uya7-2sk1-6uat |
|
| 52 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 53 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 54 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 55 |
| vulnerability |
VCID-w6nc-88yg-dkem |
|
| 56 |
| vulnerability |
VCID-wcb5-wnjf-5uhm |
|
| 57 |
| vulnerability |
VCID-wxaq-rrqq-pyah |
|
| 58 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 59 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 60 |
| vulnerability |
VCID-xk8n-4az9-zfh3 |
|
| 61 |
| vulnerability |
VCID-xmxb-sg5r-ufbt |
|
| 62 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 63 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
| 64 |
| vulnerability |
VCID-y5qk-qy59-23hn |
|
| 65 |
| vulnerability |
VCID-zdyb-dh4t-5kam |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@20.0.2 |
|
|
| aliases |
CVE-2022-3916, GHSA-97g8-xfvw-q4hg, GMS-2022-8406
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-azxv-y5rj-vkg9 |
|
| 17 |
| url |
VCID-bebk-k27t-4qgf |
| vulnerability_id |
VCID-bebk-k27t-4qgf |
| summary |
Keycloak: Missing Check on Disabled Client for Docker Registry Protocol
A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a result, previously valid credentials can still be used to obtain authentication tokens. This weakens administrative controls and could allow unintended access to container registry resources. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-2733, GHSA-fjf4-6f34-w64q
|
| risk_score |
1.7 |
| exploitability |
0.5 |
| weighted_severity |
3.4 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-bebk-k27t-4qgf |
|
| 18 |
| url |
VCID-bub5-f9wf-57d4 |
| vulnerability_id |
VCID-bub5-f9wf-57d4 |
| summary |
Keycloak exposes sensitive information in Pushed Authorization Requests (PAR)
A flaw was found in Keycloak in the OAuth 2.0 Pushed Authorization Requests (PAR). Client provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization server's HTTP response to a request_uri authorization request. This could lead to an information disclosure vulnerability. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@24.0.5 |
| purl |
pkg:maven/org.keycloak/keycloak-services@24.0.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-1u7p-4qg4-yqbv |
|
| 3 |
| vulnerability |
VCID-2xg4-ad4r-4kce |
|
| 4 |
| vulnerability |
VCID-36v6-qmgy-j3cv |
|
| 5 |
| vulnerability |
VCID-3adr-h63v-c3eg |
|
| 6 |
| vulnerability |
VCID-66zv-ra8w-s3b4 |
|
| 7 |
| vulnerability |
VCID-6dya-2u73-vbee |
|
| 8 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 9 |
| vulnerability |
VCID-8ekh-fbbj-5yfb |
|
| 10 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 11 |
| vulnerability |
VCID-cs4b-u9hn-9ugy |
|
| 12 |
| vulnerability |
VCID-dckx-y9zp-d7fy |
|
| 13 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 14 |
| vulnerability |
VCID-dwgd-79t9-d7a1 |
|
| 15 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 16 |
| vulnerability |
VCID-fkdm-gq5h-rbg7 |
|
| 17 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 18 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 19 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 20 |
| vulnerability |
VCID-jhzk-d1en-gkhj |
|
| 21 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 22 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 23 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 24 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 25 |
| vulnerability |
VCID-pr4d-pmh8-yfeh |
|
| 26 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 27 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 28 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 29 |
| vulnerability |
VCID-tv3h-kxj7-u7ct |
|
| 30 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 31 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 32 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 33 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 34 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 35 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 36 |
| vulnerability |
VCID-w6nc-88yg-dkem |
|
| 37 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 38 |
| vulnerability |
VCID-xk8n-4az9-zfh3 |
|
| 39 |
| vulnerability |
VCID-xmxb-sg5r-ufbt |
|
| 40 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 41 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
| 42 |
| vulnerability |
VCID-zdyb-dh4t-5kam |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@24.0.5 |
|
|
| aliases |
CVE-2024-4540, GHSA-69fp-7c8p-crjr
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-bub5-f9wf-57d4 |
|
| 19 |
| url |
VCID-ch1b-adh9-skah |
| vulnerability_id |
VCID-ch1b-adh9-skah |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@20.0.5 |
| purl |
pkg:maven/org.keycloak/keycloak-services@20.0.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-1u7p-4qg4-yqbv |
|
| 3 |
| vulnerability |
VCID-2kyy-pzzx-n7gr |
|
| 4 |
| vulnerability |
VCID-2xg4-ad4r-4kce |
|
| 5 |
| vulnerability |
VCID-2xvq-t8jp-zfbj |
|
| 6 |
| vulnerability |
VCID-36v6-qmgy-j3cv |
|
| 7 |
| vulnerability |
VCID-3adr-h63v-c3eg |
|
| 8 |
| vulnerability |
VCID-4hs9-48uu-8qbf |
|
| 9 |
| vulnerability |
VCID-66zv-ra8w-s3b4 |
|
| 10 |
| vulnerability |
VCID-6dya-2u73-vbee |
|
| 11 |
| vulnerability |
VCID-6kbf-zmzu-xbgt |
|
| 12 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 13 |
| vulnerability |
VCID-8ekh-fbbj-5yfb |
|
| 14 |
| vulnerability |
VCID-asmd-x6cy-dqdt |
|
| 15 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 16 |
| vulnerability |
VCID-bub5-f9wf-57d4 |
|
| 17 |
| vulnerability |
VCID-cs4b-u9hn-9ugy |
|
| 18 |
| vulnerability |
VCID-dckx-y9zp-d7fy |
|
| 19 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 20 |
| vulnerability |
VCID-dt1x-6344-fkda |
|
| 21 |
| vulnerability |
VCID-dwgd-79t9-d7a1 |
|
| 22 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 23 |
| vulnerability |
VCID-fkdm-gq5h-rbg7 |
|
| 24 |
| vulnerability |
VCID-ghak-3963-juhk |
|
| 25 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 26 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 27 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 28 |
| vulnerability |
VCID-hzvd-ugxf-9fcd |
|
| 29 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 30 |
| vulnerability |
VCID-jhzk-d1en-gkhj |
|
| 31 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 32 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 33 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 34 |
| vulnerability |
VCID-kbc1-6psh-17d8 |
|
| 35 |
| vulnerability |
VCID-kf26-bvty-a3g9 |
|
| 36 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 37 |
| vulnerability |
VCID-m24y-x4sk-2yd6 |
|
| 38 |
| vulnerability |
VCID-mt5g-24m9-tfbg |
|
| 39 |
| vulnerability |
VCID-nw1y-zwsy-auff |
|
| 40 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 41 |
| vulnerability |
VCID-pr4d-pmh8-yfeh |
|
| 42 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 43 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 44 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 45 |
| vulnerability |
VCID-tv3h-kxj7-u7ct |
|
| 46 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 47 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 48 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 49 |
| vulnerability |
VCID-uya7-2sk1-6uat |
|
| 50 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 51 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 52 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 53 |
| vulnerability |
VCID-w6nc-88yg-dkem |
|
| 54 |
| vulnerability |
VCID-wcb5-wnjf-5uhm |
|
| 55 |
| vulnerability |
VCID-wxaq-rrqq-pyah |
|
| 56 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 57 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 58 |
| vulnerability |
VCID-xk8n-4az9-zfh3 |
|
| 59 |
| vulnerability |
VCID-xmxb-sg5r-ufbt |
|
| 60 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 61 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
| 62 |
| vulnerability |
VCID-y5qk-qy59-23hn |
|
| 63 |
| vulnerability |
VCID-zdyb-dh4t-5kam |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@20.0.5 |
|
|
| aliases |
CVE-2022-1274, GHSA-m4fv-gm5m-4725, GMS-2023-528
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ch1b-adh9-skah |
|
| 20 |
| url |
VCID-cs4b-u9hn-9ugy |
| vulnerability_id |
VCID-cs4b-u9hn-9ugy |
| summary |
Duplicate
This advisory duplicates another. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
|
| 2 |
| url |
pkg:maven/org.keycloak/keycloak-services@25.0.5 |
| purl |
pkg:maven/org.keycloak/keycloak-services@25.0.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-1u7p-4qg4-yqbv |
|
| 3 |
| vulnerability |
VCID-2xg4-ad4r-4kce |
|
| 4 |
| vulnerability |
VCID-36v6-qmgy-j3cv |
|
| 5 |
| vulnerability |
VCID-3adr-h63v-c3eg |
|
| 6 |
| vulnerability |
VCID-6dya-2u73-vbee |
|
| 7 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 8 |
| vulnerability |
VCID-8ekh-fbbj-5yfb |
|
| 9 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 10 |
| vulnerability |
VCID-dckx-y9zp-d7fy |
|
| 11 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 12 |
| vulnerability |
VCID-dwgd-79t9-d7a1 |
|
| 13 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 14 |
| vulnerability |
VCID-fkdm-gq5h-rbg7 |
|
| 15 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 16 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 17 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 18 |
| vulnerability |
VCID-jhzk-d1en-gkhj |
|
| 19 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 20 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 21 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 22 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 23 |
| vulnerability |
VCID-pr4d-pmh8-yfeh |
|
| 24 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 25 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 26 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 27 |
| vulnerability |
VCID-tv3h-kxj7-u7ct |
|
| 28 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 29 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 30 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 31 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 32 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 33 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 34 |
| vulnerability |
VCID-w6nc-88yg-dkem |
|
| 35 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 36 |
| vulnerability |
VCID-xk8n-4az9-zfh3 |
|
| 37 |
| vulnerability |
VCID-xmxb-sg5r-ufbt |
|
| 38 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 39 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
| 40 |
| vulnerability |
VCID-zdyb-dh4t-5kam |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@25.0.5 |
|
|
| aliases |
CVE-2024-7341, GHSA-5rxp-2rhr-qwqv
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-cs4b-u9hn-9ugy |
|
| 21 |
| url |
VCID-dckx-y9zp-d7fy |
| vulnerability_id |
VCID-dckx-y9zp-d7fy |
| summary |
Keycloak Admin REST API exposes backend schema and rules
A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to targeted attacks or privilege escalation via improper access control. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@26.3.0 |
| purl |
pkg:maven/org.keycloak/keycloak-services@26.3.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 3 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 4 |
| vulnerability |
VCID-bw6h-4h9x-rbab |
|
| 5 |
| vulnerability |
VCID-c58s-s3rb-27fw |
|
| 6 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 7 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 8 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 9 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 10 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 11 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 12 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 13 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 14 |
| vulnerability |
VCID-pgjk-vhx6-yqbt |
|
| 15 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 16 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 17 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 18 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 19 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 20 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 21 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 22 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 23 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 24 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 25 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 26 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 27 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@26.3.0 |
|
|
| aliases |
CVE-2025-14083, GHSA-594w-2fwp-jwrc
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dckx-y9zp-d7fy |
|
| 22 |
| url |
VCID-dgdk-ahqm-9ken |
| vulnerability_id |
VCID-dgdk-ahqm-9ken |
| summary |
Duplicate Advisory: Keycloak Privilege Escalation Vulnerability in Admin Console (FGAPv2 Enabled)
### Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-27gp-8389-hm4w. This link is maintained to preserve external references.
### Original Description
A flaw was found in the Keycloak identity and access management system when Fine-Grained Admin Permissions (FGAPv2) are enabled. An administrative user with the manage-users role can escalate their privileges to realm-admin due to improper privilege enforcement. This vulnerability allows unauthorized elevation of access rights, compromising the intended separation of administrative duties and posing a security risk to the realm. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@26.3.2 |
| purl |
pkg:maven/org.keycloak/keycloak-services@26.3.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 3 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 4 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 5 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 6 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 7 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 8 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 9 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 10 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 11 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 12 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 13 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 14 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 15 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 16 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 17 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 18 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 19 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 20 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 21 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 22 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 23 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@26.3.2 |
|
|
| aliases |
GHSA-83j7-mhw9-388w
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dgdk-ahqm-9ken |
|
| 23 |
| url |
VCID-dt1x-6344-fkda |
| vulnerability_id |
VCID-dt1x-6344-fkda |
| summary |
Keycloak Authorization Bypass vulnerability
Due to a permissive regular expression hardcoded for filtering allowed hosts to register a dynamic client, a malicious user with enough information about the environment could benefit and jeopardize an environment with this specific Dynamic Client Registration with TrustedDomain configuration previously unauthorized. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-services@24.0.3 |
| purl |
pkg:maven/org.keycloak/keycloak-services@24.0.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-1u7p-4qg4-yqbv |
|
| 3 |
| vulnerability |
VCID-2xg4-ad4r-4kce |
|
| 4 |
| vulnerability |
VCID-36v6-qmgy-j3cv |
|
| 5 |
| vulnerability |
VCID-3adr-h63v-c3eg |
|
| 6 |
| vulnerability |
VCID-4hs9-48uu-8qbf |
|
| 7 |
| vulnerability |
VCID-66zv-ra8w-s3b4 |
|
| 8 |
| vulnerability |
VCID-6dya-2u73-vbee |
|
| 9 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 10 |
| vulnerability |
VCID-8ekh-fbbj-5yfb |
|
| 11 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 12 |
| vulnerability |
VCID-bub5-f9wf-57d4 |
|
| 13 |
| vulnerability |
VCID-cs4b-u9hn-9ugy |
|
| 14 |
| vulnerability |
VCID-dckx-y9zp-d7fy |
|
| 15 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 16 |
| vulnerability |
VCID-dwgd-79t9-d7a1 |
|
| 17 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 18 |
| vulnerability |
VCID-fkdm-gq5h-rbg7 |
|
| 19 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 20 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 21 |
| vulnerability |
VCID-hzvd-ugxf-9fcd |
|
| 22 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 23 |
| vulnerability |
VCID-jhzk-d1en-gkhj |
|
| 24 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 25 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 26 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 27 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 28 |
| vulnerability |
VCID-pr4d-pmh8-yfeh |
|
| 29 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 30 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 31 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 32 |
| vulnerability |
VCID-tv3h-kxj7-u7ct |
|
| 33 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 34 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 35 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 36 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 37 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 38 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 39 |
| vulnerability |
VCID-w6nc-88yg-dkem |
|
| 40 |
| vulnerability |
VCID-wcb5-wnjf-5uhm |
|
| 41 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 42 |
| vulnerability |
VCID-xk8n-4az9-zfh3 |
|
| 43 |
| vulnerability |
VCID-xmxb-sg5r-ufbt |
|
| 44 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 45 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
| 46 |
| vulnerability |
VCID-zdyb-dh4t-5kam |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@24.0.3 |
|
|
| aliases |
CVE-2023-6544, GHSA-46c8-635v-68r2
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dt1x-6344-fkda |
|
| 24 |
| url |
VCID-dvk9-qsq9-4uc3 |
| vulnerability_id |
VCID-dvk9-qsq9-4uc3 |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
A POST based reflected Cross Site Scripting vulnerability on has been identified in Keycloak. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@17.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-services@17.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-1u7p-4qg4-yqbv |
|
| 3 |
| vulnerability |
VCID-2kyy-pzzx-n7gr |
|
| 4 |
| vulnerability |
VCID-2xg4-ad4r-4kce |
|
| 5 |
| vulnerability |
VCID-2xvq-t8jp-zfbj |
|
| 6 |
| vulnerability |
VCID-36v6-qmgy-j3cv |
|
| 7 |
| vulnerability |
VCID-3adr-h63v-c3eg |
|
| 8 |
| vulnerability |
VCID-4hs9-48uu-8qbf |
|
| 9 |
| vulnerability |
VCID-66zv-ra8w-s3b4 |
|
| 10 |
| vulnerability |
VCID-6dya-2u73-vbee |
|
| 11 |
| vulnerability |
VCID-6kbf-zmzu-xbgt |
|
| 12 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 13 |
| vulnerability |
VCID-8ekh-fbbj-5yfb |
|
| 14 |
| vulnerability |
VCID-9jrc-ayvh-e7dk |
|
| 15 |
| vulnerability |
VCID-asmd-x6cy-dqdt |
|
| 16 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 17 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 18 |
| vulnerability |
VCID-bub5-f9wf-57d4 |
|
| 19 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 20 |
| vulnerability |
VCID-cs4b-u9hn-9ugy |
|
| 21 |
| vulnerability |
VCID-dckx-y9zp-d7fy |
|
| 22 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 23 |
| vulnerability |
VCID-dt1x-6344-fkda |
|
| 24 |
| vulnerability |
VCID-dwgd-79t9-d7a1 |
|
| 25 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 26 |
| vulnerability |
VCID-fkdm-gq5h-rbg7 |
|
| 27 |
| vulnerability |
VCID-g36a-kpzd-3bdf |
|
| 28 |
| vulnerability |
VCID-ghak-3963-juhk |
|
| 29 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 30 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 31 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 32 |
| vulnerability |
VCID-hzvd-ugxf-9fcd |
|
| 33 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 34 |
| vulnerability |
VCID-jfsk-9epz-t7a8 |
|
| 35 |
| vulnerability |
VCID-jhzk-d1en-gkhj |
|
| 36 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 37 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 38 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 39 |
| vulnerability |
VCID-kbc1-6psh-17d8 |
|
| 40 |
| vulnerability |
VCID-kf26-bvty-a3g9 |
|
| 41 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 42 |
| vulnerability |
VCID-m24y-x4sk-2yd6 |
|
| 43 |
| vulnerability |
VCID-mt5g-24m9-tfbg |
|
| 44 |
| vulnerability |
VCID-nw1y-zwsy-auff |
|
| 45 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 46 |
| vulnerability |
VCID-pr4d-pmh8-yfeh |
|
| 47 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 48 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 49 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 50 |
| vulnerability |
VCID-tv3h-kxj7-u7ct |
|
| 51 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 52 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 53 |
| vulnerability |
VCID-ugpk-g4qu-x3b5 |
|
| 54 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 55 |
| vulnerability |
VCID-uya7-2sk1-6uat |
|
| 56 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 57 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 58 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 59 |
| vulnerability |
VCID-w6nc-88yg-dkem |
|
| 60 |
| vulnerability |
VCID-wcb5-wnjf-5uhm |
|
| 61 |
| vulnerability |
VCID-wxaq-rrqq-pyah |
|
| 62 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 63 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 64 |
| vulnerability |
VCID-xk8n-4az9-zfh3 |
|
| 65 |
| vulnerability |
VCID-xmxb-sg5r-ufbt |
|
| 66 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 67 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
| 68 |
| vulnerability |
VCID-y5qk-qy59-23hn |
|
| 69 |
| vulnerability |
VCID-zdyb-dh4t-5kam |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@17.0.0 |
|
|
| aliases |
CVE-2021-20323, GHSA-xpgc-j48j-jwv9
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dvk9-qsq9-4uc3 |
|
| 25 |
| url |
VCID-dwgd-79t9-d7a1 |
| vulnerability_id |
VCID-dwgd-79t9-d7a1 |
| summary |
Duplicate Advisory: Keycloak hostname verification
# Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-hw58-3793-42gg. This link is maintained to preserve external references.
# Original Description
A flaw was found in Keycloak. By setting a verification policy to 'ALL', the trust store certificate verification is skipped, which is unintended. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@26.2.2 |
| purl |
pkg:maven/org.keycloak/keycloak-services@26.2.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-1u7p-4qg4-yqbv |
|
| 3 |
| vulnerability |
VCID-3adr-h63v-c3eg |
|
| 4 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 5 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 6 |
| vulnerability |
VCID-dckx-y9zp-d7fy |
|
| 7 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 8 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 9 |
| vulnerability |
VCID-fkdm-gq5h-rbg7 |
|
| 10 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 11 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 12 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 13 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 14 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 15 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 16 |
| vulnerability |
VCID-mzdb-4zsz-qqhn |
|
| 17 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 18 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 19 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 20 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 21 |
| vulnerability |
VCID-tv3h-kxj7-u7ct |
|
| 22 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 23 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 24 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 25 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 26 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 27 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 28 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 29 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 30 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@26.2.2 |
|
|
| aliases |
GHSA-r934-w73g-v4p8
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dwgd-79t9-d7a1 |
|
| 26 |
|
| 27 |
| url |
VCID-fkdm-gq5h-rbg7 |
| vulnerability_id |
VCID-fkdm-gq5h-rbg7 |
| summary |
Keycloak does not validate and update refresh token usage atomically
A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. This allows concurrent refresh requests to bypass single-use enforcement and issue multiple access tokens from the same refresh token. As a result, Keycloak’s refresh token rotation hardening can be undermined. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@26.3.0 |
| purl |
pkg:maven/org.keycloak/keycloak-services@26.3.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 3 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 4 |
| vulnerability |
VCID-bw6h-4h9x-rbab |
|
| 5 |
| vulnerability |
VCID-c58s-s3rb-27fw |
|
| 6 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 7 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 8 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 9 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 10 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 11 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 12 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 13 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 14 |
| vulnerability |
VCID-pgjk-vhx6-yqbt |
|
| 15 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 16 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 17 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 18 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 19 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 20 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 21 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 22 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 23 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 24 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 25 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 26 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 27 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@26.3.0 |
|
|
| aliases |
CVE-2026-1035, GHSA-m2w5-7xhv-w6fh
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-fkdm-gq5h-rbg7 |
|
| 28 |
| url |
VCID-g36a-kpzd-3bdf |
| vulnerability_id |
VCID-g36a-kpzd-3bdf |
| summary |
multiple issues |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@18.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-services@18.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-1u7p-4qg4-yqbv |
|
| 3 |
| vulnerability |
VCID-2kyy-pzzx-n7gr |
|
| 4 |
| vulnerability |
VCID-2xg4-ad4r-4kce |
|
| 5 |
| vulnerability |
VCID-2xvq-t8jp-zfbj |
|
| 6 |
| vulnerability |
VCID-36v6-qmgy-j3cv |
|
| 7 |
| vulnerability |
VCID-3adr-h63v-c3eg |
|
| 8 |
| vulnerability |
VCID-4hs9-48uu-8qbf |
|
| 9 |
| vulnerability |
VCID-66zv-ra8w-s3b4 |
|
| 10 |
| vulnerability |
VCID-6dya-2u73-vbee |
|
| 11 |
| vulnerability |
VCID-6kbf-zmzu-xbgt |
|
| 12 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 13 |
| vulnerability |
VCID-8ekh-fbbj-5yfb |
|
| 14 |
| vulnerability |
VCID-asmd-x6cy-dqdt |
|
| 15 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 16 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 17 |
| vulnerability |
VCID-bub5-f9wf-57d4 |
|
| 18 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 19 |
| vulnerability |
VCID-cs4b-u9hn-9ugy |
|
| 20 |
| vulnerability |
VCID-dckx-y9zp-d7fy |
|
| 21 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 22 |
| vulnerability |
VCID-dt1x-6344-fkda |
|
| 23 |
| vulnerability |
VCID-dwgd-79t9-d7a1 |
|
| 24 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 25 |
| vulnerability |
VCID-fkdm-gq5h-rbg7 |
|
| 26 |
| vulnerability |
VCID-ghak-3963-juhk |
|
| 27 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 28 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 29 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 30 |
| vulnerability |
VCID-hzvd-ugxf-9fcd |
|
| 31 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 32 |
| vulnerability |
VCID-jhzk-d1en-gkhj |
|
| 33 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 34 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 35 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 36 |
| vulnerability |
VCID-kbc1-6psh-17d8 |
|
| 37 |
| vulnerability |
VCID-kf26-bvty-a3g9 |
|
| 38 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 39 |
| vulnerability |
VCID-m24y-x4sk-2yd6 |
|
| 40 |
| vulnerability |
VCID-mt5g-24m9-tfbg |
|
| 41 |
| vulnerability |
VCID-nw1y-zwsy-auff |
|
| 42 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 43 |
| vulnerability |
VCID-pr4d-pmh8-yfeh |
|
| 44 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 45 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 46 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 47 |
| vulnerability |
VCID-tv3h-kxj7-u7ct |
|
| 48 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 49 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 50 |
| vulnerability |
VCID-ugpk-g4qu-x3b5 |
|
| 51 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 52 |
| vulnerability |
VCID-uya7-2sk1-6uat |
|
| 53 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 54 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 55 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 56 |
| vulnerability |
VCID-w6nc-88yg-dkem |
|
| 57 |
| vulnerability |
VCID-wcb5-wnjf-5uhm |
|
| 58 |
| vulnerability |
VCID-wxaq-rrqq-pyah |
|
| 59 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 60 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 61 |
| vulnerability |
VCID-xk8n-4az9-zfh3 |
|
| 62 |
| vulnerability |
VCID-xmxb-sg5r-ufbt |
|
| 63 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 64 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
| 65 |
| vulnerability |
VCID-y5qk-qy59-23hn |
|
| 66 |
| vulnerability |
VCID-zdyb-dh4t-5kam |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@18.0.0 |
|
|
| aliases |
CVE-2021-3424, GHSA-pf38-cw3p-22q9
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-g36a-kpzd-3bdf |
|
| 29 |
| url |
VCID-ghak-3963-juhk |
| vulnerability_id |
VCID-ghak-3963-juhk |
| summary |
Keycloak path traversal vulnerability in the redirect validation
An issue was found in the redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts. |
| references |
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-services@24.0.3 |
| purl |
pkg:maven/org.keycloak/keycloak-services@24.0.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-1u7p-4qg4-yqbv |
|
| 3 |
| vulnerability |
VCID-2xg4-ad4r-4kce |
|
| 4 |
| vulnerability |
VCID-36v6-qmgy-j3cv |
|
| 5 |
| vulnerability |
VCID-3adr-h63v-c3eg |
|
| 6 |
| vulnerability |
VCID-4hs9-48uu-8qbf |
|
| 7 |
| vulnerability |
VCID-66zv-ra8w-s3b4 |
|
| 8 |
| vulnerability |
VCID-6dya-2u73-vbee |
|
| 9 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 10 |
| vulnerability |
VCID-8ekh-fbbj-5yfb |
|
| 11 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 12 |
| vulnerability |
VCID-bub5-f9wf-57d4 |
|
| 13 |
| vulnerability |
VCID-cs4b-u9hn-9ugy |
|
| 14 |
| vulnerability |
VCID-dckx-y9zp-d7fy |
|
| 15 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 16 |
| vulnerability |
VCID-dwgd-79t9-d7a1 |
|
| 17 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 18 |
| vulnerability |
VCID-fkdm-gq5h-rbg7 |
|
| 19 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 20 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 21 |
| vulnerability |
VCID-hzvd-ugxf-9fcd |
|
| 22 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 23 |
| vulnerability |
VCID-jhzk-d1en-gkhj |
|
| 24 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 25 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 26 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 27 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 28 |
| vulnerability |
VCID-pr4d-pmh8-yfeh |
|
| 29 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 30 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 31 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 32 |
| vulnerability |
VCID-tv3h-kxj7-u7ct |
|
| 33 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 34 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 35 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 36 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 37 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 38 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 39 |
| vulnerability |
VCID-w6nc-88yg-dkem |
|
| 40 |
| vulnerability |
VCID-wcb5-wnjf-5uhm |
|
| 41 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 42 |
| vulnerability |
VCID-xk8n-4az9-zfh3 |
|
| 43 |
| vulnerability |
VCID-xmxb-sg5r-ufbt |
|
| 44 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 45 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
| 46 |
| vulnerability |
VCID-zdyb-dh4t-5kam |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@24.0.3 |
|
|
| aliases |
CVE-2024-2419, GHSA-mrv8-pqfj-7gp5
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ghak-3963-juhk |
|
| 30 |
| url |
VCID-gv5e-6w51-uydc |
| vulnerability_id |
VCID-gv5e-6w51-uydc |
| summary |
Keycloak: Improper Access Control Leading to MFA Deletion and Account Takeover in Keycloak Account REST API
A flaw was identified in the Account REST API of Keycloak that allows a user authenticated at a lower security level to perform sensitive actions intended only for higher-assurance sessions. Specifically, an attacker who has already obtained a victim’s password can delete the victim’s registered MFA/OTP credential without first proving possession of that factor. The attacker can then register their own MFA device, effectively taking full control of the account. This weakness undermines the intended protection provided by multi-factor authentication. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-3429, GHSA-8g9r-9wjw-37j4
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gv5e-6w51-uydc |
|
| 31 |
|
| 32 |
| url |
VCID-hxup-rgnc-mqbp |
| vulnerability_id |
VCID-hxup-rgnc-mqbp |
| summary |
Duplicate
This advisory duplicates another. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@24.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-services@24.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-1u7p-4qg4-yqbv |
|
| 3 |
| vulnerability |
VCID-2kyy-pzzx-n7gr |
|
| 4 |
| vulnerability |
VCID-2xg4-ad4r-4kce |
|
| 5 |
| vulnerability |
VCID-2xvq-t8jp-zfbj |
|
| 6 |
| vulnerability |
VCID-36v6-qmgy-j3cv |
|
| 7 |
| vulnerability |
VCID-3adr-h63v-c3eg |
|
| 8 |
| vulnerability |
VCID-4hs9-48uu-8qbf |
|
| 9 |
| vulnerability |
VCID-66zv-ra8w-s3b4 |
|
| 10 |
| vulnerability |
VCID-6dya-2u73-vbee |
|
| 11 |
| vulnerability |
VCID-6kbf-zmzu-xbgt |
|
| 12 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 13 |
| vulnerability |
VCID-8ekh-fbbj-5yfb |
|
| 14 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 15 |
| vulnerability |
VCID-bub5-f9wf-57d4 |
|
| 16 |
| vulnerability |
VCID-cs4b-u9hn-9ugy |
|
| 17 |
| vulnerability |
VCID-dckx-y9zp-d7fy |
|
| 18 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 19 |
| vulnerability |
VCID-dt1x-6344-fkda |
|
| 20 |
| vulnerability |
VCID-dwgd-79t9-d7a1 |
|
| 21 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 22 |
| vulnerability |
VCID-fkdm-gq5h-rbg7 |
|
| 23 |
| vulnerability |
VCID-ghak-3963-juhk |
|
| 24 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 25 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 26 |
| vulnerability |
VCID-hzvd-ugxf-9fcd |
|
| 27 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 28 |
| vulnerability |
VCID-jhzk-d1en-gkhj |
|
| 29 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 30 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 31 |
| vulnerability |
VCID-kbc1-6psh-17d8 |
|
| 32 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 33 |
| vulnerability |
VCID-mt5g-24m9-tfbg |
|
| 34 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 35 |
| vulnerability |
VCID-pr4d-pmh8-yfeh |
|
| 36 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 37 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 38 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 39 |
| vulnerability |
VCID-tv3h-kxj7-u7ct |
|
| 40 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 41 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 42 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 43 |
| vulnerability |
VCID-uya7-2sk1-6uat |
|
| 44 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 45 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 46 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 47 |
| vulnerability |
VCID-w6nc-88yg-dkem |
|
| 48 |
| vulnerability |
VCID-wcb5-wnjf-5uhm |
|
| 49 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 50 |
| vulnerability |
VCID-xk8n-4az9-zfh3 |
|
| 51 |
| vulnerability |
VCID-xmxb-sg5r-ufbt |
|
| 52 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 53 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
| 54 |
| vulnerability |
VCID-y5qk-qy59-23hn |
|
| 55 |
| vulnerability |
VCID-zdyb-dh4t-5kam |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@24.0.0 |
|
|
| aliases |
CVE-2024-1722, GHSA-3hrr-xwvg-hxvr, GHSA-cq42-vhv7-xr7p
|
| risk_score |
1.6 |
| exploitability |
0.5 |
| weighted_severity |
3.3 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hxup-rgnc-mqbp |
|
| 33 |
| url |
VCID-hzvd-ugxf-9fcd |
| vulnerability_id |
VCID-hzvd-ugxf-9fcd |
| summary |
Keycloak's admin API allows low privilege users to use administrative functions
Users with low privileges (just plain users in the realm) are able to utilize administrative functionalities within Keycloak admin interface. This issue presents a significant security risk as it allows unauthorized users to perform actions reserved for administrators, potentially leading to data breaches or system compromise.
**Acknowledgements:**
Special thanks to Maurizio Agazzini for reporting this issue and helping us improve our project. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
| reference_url |
https://github.com/advisories/GHSA-2cww-fgmg-4jqc |
| reference_id |
GHSA-2cww-fgmg-4jqc |
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
HIGH |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-09T19:18:03Z/ |
|
|
| url |
https://github.com/advisories/GHSA-2cww-fgmg-4jqc |
|
| 18 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@24.0.5 |
| purl |
pkg:maven/org.keycloak/keycloak-services@24.0.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-1u7p-4qg4-yqbv |
|
| 3 |
| vulnerability |
VCID-2xg4-ad4r-4kce |
|
| 4 |
| vulnerability |
VCID-36v6-qmgy-j3cv |
|
| 5 |
| vulnerability |
VCID-3adr-h63v-c3eg |
|
| 6 |
| vulnerability |
VCID-66zv-ra8w-s3b4 |
|
| 7 |
| vulnerability |
VCID-6dya-2u73-vbee |
|
| 8 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 9 |
| vulnerability |
VCID-8ekh-fbbj-5yfb |
|
| 10 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 11 |
| vulnerability |
VCID-cs4b-u9hn-9ugy |
|
| 12 |
| vulnerability |
VCID-dckx-y9zp-d7fy |
|
| 13 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 14 |
| vulnerability |
VCID-dwgd-79t9-d7a1 |
|
| 15 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 16 |
| vulnerability |
VCID-fkdm-gq5h-rbg7 |
|
| 17 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 18 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 19 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 20 |
| vulnerability |
VCID-jhzk-d1en-gkhj |
|
| 21 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 22 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 23 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 24 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 25 |
| vulnerability |
VCID-pr4d-pmh8-yfeh |
|
| 26 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 27 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 28 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 29 |
| vulnerability |
VCID-tv3h-kxj7-u7ct |
|
| 30 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 31 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 32 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 33 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 34 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 35 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 36 |
| vulnerability |
VCID-w6nc-88yg-dkem |
|
| 37 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 38 |
| vulnerability |
VCID-xk8n-4az9-zfh3 |
|
| 39 |
| vulnerability |
VCID-xmxb-sg5r-ufbt |
|
| 40 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 41 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
| 42 |
| vulnerability |
VCID-zdyb-dh4t-5kam |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@24.0.5 |
|
|
| aliases |
CVE-2024-3656, GHSA-2cww-fgmg-4jqc
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hzvd-ugxf-9fcd |
|
| 34 |
|
| 35 |
| url |
VCID-jfsk-9epz-t7a8 |
| vulnerability_id |
VCID-jfsk-9epz-t7a8 |
| summary |
Duplicate
This advisory duplicates another. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@18.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-services@18.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-1u7p-4qg4-yqbv |
|
| 3 |
| vulnerability |
VCID-2kyy-pzzx-n7gr |
|
| 4 |
| vulnerability |
VCID-2xg4-ad4r-4kce |
|
| 5 |
| vulnerability |
VCID-2xvq-t8jp-zfbj |
|
| 6 |
| vulnerability |
VCID-36v6-qmgy-j3cv |
|
| 7 |
| vulnerability |
VCID-3adr-h63v-c3eg |
|
| 8 |
| vulnerability |
VCID-4hs9-48uu-8qbf |
|
| 9 |
| vulnerability |
VCID-66zv-ra8w-s3b4 |
|
| 10 |
| vulnerability |
VCID-6dya-2u73-vbee |
|
| 11 |
| vulnerability |
VCID-6kbf-zmzu-xbgt |
|
| 12 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 13 |
| vulnerability |
VCID-8ekh-fbbj-5yfb |
|
| 14 |
| vulnerability |
VCID-asmd-x6cy-dqdt |
|
| 15 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 16 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 17 |
| vulnerability |
VCID-bub5-f9wf-57d4 |
|
| 18 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 19 |
| vulnerability |
VCID-cs4b-u9hn-9ugy |
|
| 20 |
| vulnerability |
VCID-dckx-y9zp-d7fy |
|
| 21 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 22 |
| vulnerability |
VCID-dt1x-6344-fkda |
|
| 23 |
| vulnerability |
VCID-dwgd-79t9-d7a1 |
|
| 24 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 25 |
| vulnerability |
VCID-fkdm-gq5h-rbg7 |
|
| 26 |
| vulnerability |
VCID-ghak-3963-juhk |
|
| 27 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 28 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 29 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 30 |
| vulnerability |
VCID-hzvd-ugxf-9fcd |
|
| 31 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 32 |
| vulnerability |
VCID-jhzk-d1en-gkhj |
|
| 33 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 34 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 35 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 36 |
| vulnerability |
VCID-kbc1-6psh-17d8 |
|
| 37 |
| vulnerability |
VCID-kf26-bvty-a3g9 |
|
| 38 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 39 |
| vulnerability |
VCID-m24y-x4sk-2yd6 |
|
| 40 |
| vulnerability |
VCID-mt5g-24m9-tfbg |
|
| 41 |
| vulnerability |
VCID-nw1y-zwsy-auff |
|
| 42 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 43 |
| vulnerability |
VCID-pr4d-pmh8-yfeh |
|
| 44 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 45 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 46 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 47 |
| vulnerability |
VCID-tv3h-kxj7-u7ct |
|
| 48 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 49 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 50 |
| vulnerability |
VCID-ugpk-g4qu-x3b5 |
|
| 51 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 52 |
| vulnerability |
VCID-uya7-2sk1-6uat |
|
| 53 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 54 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 55 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 56 |
| vulnerability |
VCID-w6nc-88yg-dkem |
|
| 57 |
| vulnerability |
VCID-wcb5-wnjf-5uhm |
|
| 58 |
| vulnerability |
VCID-wxaq-rrqq-pyah |
|
| 59 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 60 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 61 |
| vulnerability |
VCID-xk8n-4az9-zfh3 |
|
| 62 |
| vulnerability |
VCID-xmxb-sg5r-ufbt |
|
| 63 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 64 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
| 65 |
| vulnerability |
VCID-y5qk-qy59-23hn |
|
| 66 |
| vulnerability |
VCID-zdyb-dh4t-5kam |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@18.0.0 |
|
|
| aliases |
CVE-2022-1245, GHSA-75p6-52g3-rqc8, GMS-2022-1039
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jfsk-9epz-t7a8 |
|
| 36 |
| url |
VCID-jhzk-d1en-gkhj |
| vulnerability_id |
VCID-jhzk-d1en-gkhj |
| summary |
Duplicate
This advisory duplicates another. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-services@26.1.2 |
| purl |
pkg:maven/org.keycloak/keycloak-services@26.1.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-1u7p-4qg4-yqbv |
|
| 3 |
| vulnerability |
VCID-3adr-h63v-c3eg |
|
| 4 |
| vulnerability |
VCID-6dya-2u73-vbee |
|
| 5 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 6 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 7 |
| vulnerability |
VCID-dckx-y9zp-d7fy |
|
| 8 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 9 |
| vulnerability |
VCID-dwgd-79t9-d7a1 |
|
| 10 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 11 |
| vulnerability |
VCID-fkdm-gq5h-rbg7 |
|
| 12 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 13 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 14 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 15 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 16 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 17 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 18 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 19 |
| vulnerability |
VCID-pr4d-pmh8-yfeh |
|
| 20 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 21 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 22 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 23 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 24 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 25 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 26 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 27 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 28 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 29 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 30 |
| vulnerability |
VCID-xk8n-4az9-zfh3 |
|
| 31 |
| vulnerability |
VCID-xmxb-sg5r-ufbt |
|
| 32 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 33 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@26.1.2 |
|
| 2 |
| url |
pkg:maven/org.keycloak/keycloak-services@26.1.3 |
| purl |
pkg:maven/org.keycloak/keycloak-services@26.1.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-1u7p-4qg4-yqbv |
|
| 3 |
| vulnerability |
VCID-3adr-h63v-c3eg |
|
| 4 |
| vulnerability |
VCID-6dya-2u73-vbee |
|
| 5 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 6 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 7 |
| vulnerability |
VCID-dckx-y9zp-d7fy |
|
| 8 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 9 |
| vulnerability |
VCID-dwgd-79t9-d7a1 |
|
| 10 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 11 |
| vulnerability |
VCID-fkdm-gq5h-rbg7 |
|
| 12 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 13 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 14 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 15 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 16 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 17 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 18 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 19 |
| vulnerability |
VCID-pr4d-pmh8-yfeh |
|
| 20 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 21 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 22 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 23 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 24 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 25 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 26 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 27 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 28 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 29 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 30 |
| vulnerability |
VCID-xk8n-4az9-zfh3 |
|
| 31 |
| vulnerability |
VCID-xmxb-sg5r-ufbt |
|
| 32 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 33 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@26.1.3 |
|
|
| aliases |
CVE-2025-1391, GHSA-gvgg-2r3r-53x7, GHSA-rq4w-cjrr-h8w8
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jhzk-d1en-gkhj |
|
| 37 |
| url |
VCID-jpky-uz5r-gbc8 |
| vulnerability_id |
VCID-jpky-uz5r-gbc8 |
| summary |
Keycloak SMTP Inject Vulnerability
Special characters used during e-mail registration may perform SMTP Injection and unexpectedly send short unwanted e-mails. The email is limited to 64 characters (limited local part of the email), so the attack is limited to very shorts emails (subject and little data, the example is 60 chars). This flaw's only direct consequence is an unsolicited email being sent from the Keycloak server. However, this action could be a precursor for more sophisticated attacks. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-services@26.3.3 |
| purl |
pkg:maven/org.keycloak/keycloak-services@26.3.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 3 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 4 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 5 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 6 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 7 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 8 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 9 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 10 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 11 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 12 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 13 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 14 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 15 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 16 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 17 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 18 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 19 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 20 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 21 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@26.3.3 |
|
|
| aliases |
CVE-2025-8419, GHSA-m4j5-5x4r-2xp9
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jpky-uz5r-gbc8 |
|
| 38 |
| url |
VCID-jq8s-nkj4-j7h7 |
| vulnerability_id |
VCID-jq8s-nkj4-j7h7 |
| summary |
Keycloak: Information disclosure of disabled user attributes via administrative endpoint
A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This unauthorized information disclosure could expose sensitive user data. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-3911, GHSA-xh32-c9wx-phrp
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jq8s-nkj4-j7h7 |
|
| 39 |
| url |
VCID-k6ct-rgvj-t3an |
| vulnerability_id |
VCID-k6ct-rgvj-t3an |
| summary |
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the result of an incomplete fix for CVE-2020-10748. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@23.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-services@23.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-1u7p-4qg4-yqbv |
|
| 3 |
| vulnerability |
VCID-2kyy-pzzx-n7gr |
|
| 4 |
| vulnerability |
VCID-2xg4-ad4r-4kce |
|
| 5 |
| vulnerability |
VCID-2xvq-t8jp-zfbj |
|
| 6 |
| vulnerability |
VCID-36v6-qmgy-j3cv |
|
| 7 |
| vulnerability |
VCID-3adr-h63v-c3eg |
|
| 8 |
| vulnerability |
VCID-4hs9-48uu-8qbf |
|
| 9 |
| vulnerability |
VCID-66zv-ra8w-s3b4 |
|
| 10 |
| vulnerability |
VCID-6dya-2u73-vbee |
|
| 11 |
| vulnerability |
VCID-6kbf-zmzu-xbgt |
|
| 12 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 13 |
| vulnerability |
VCID-86yc-ds2u-jba3 |
|
| 14 |
| vulnerability |
VCID-8ekh-fbbj-5yfb |
|
| 15 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 16 |
| vulnerability |
VCID-bub5-f9wf-57d4 |
|
| 17 |
| vulnerability |
VCID-cs4b-u9hn-9ugy |
|
| 18 |
| vulnerability |
VCID-dckx-y9zp-d7fy |
|
| 19 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 20 |
| vulnerability |
VCID-dt1x-6344-fkda |
|
| 21 |
| vulnerability |
VCID-dwgd-79t9-d7a1 |
|
| 22 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 23 |
| vulnerability |
VCID-fkdm-gq5h-rbg7 |
|
| 24 |
| vulnerability |
VCID-ghak-3963-juhk |
|
| 25 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 26 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 27 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 28 |
| vulnerability |
VCID-hzvd-ugxf-9fcd |
|
| 29 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 30 |
| vulnerability |
VCID-jhzk-d1en-gkhj |
|
| 31 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 32 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 33 |
| vulnerability |
VCID-kbc1-6psh-17d8 |
|
| 34 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 35 |
| vulnerability |
VCID-m24y-x4sk-2yd6 |
|
| 36 |
| vulnerability |
VCID-mt5g-24m9-tfbg |
|
| 37 |
| vulnerability |
VCID-nw1y-zwsy-auff |
|
| 38 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 39 |
| vulnerability |
VCID-pr4d-pmh8-yfeh |
|
| 40 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 41 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 42 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 43 |
| vulnerability |
VCID-tv3h-kxj7-u7ct |
|
| 44 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 45 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 46 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 47 |
| vulnerability |
VCID-uya7-2sk1-6uat |
|
| 48 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 49 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 50 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 51 |
| vulnerability |
VCID-w6nc-88yg-dkem |
|
| 52 |
| vulnerability |
VCID-wcb5-wnjf-5uhm |
|
| 53 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 54 |
| vulnerability |
VCID-xk8n-4az9-zfh3 |
|
| 55 |
| vulnerability |
VCID-xmxb-sg5r-ufbt |
|
| 56 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 57 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
| 58 |
| vulnerability |
VCID-y5qk-qy59-23hn |
|
| 59 |
| vulnerability |
VCID-zdyb-dh4t-5kam |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@23.0.0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-services@23.0.3 |
| purl |
pkg:maven/org.keycloak/keycloak-services@23.0.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-1u7p-4qg4-yqbv |
|
| 3 |
| vulnerability |
VCID-2kyy-pzzx-n7gr |
|
| 4 |
| vulnerability |
VCID-2xg4-ad4r-4kce |
|
| 5 |
| vulnerability |
VCID-2xvq-t8jp-zfbj |
|
| 6 |
| vulnerability |
VCID-36v6-qmgy-j3cv |
|
| 7 |
| vulnerability |
VCID-3adr-h63v-c3eg |
|
| 8 |
| vulnerability |
VCID-4hs9-48uu-8qbf |
|
| 9 |
| vulnerability |
VCID-66zv-ra8w-s3b4 |
|
| 10 |
| vulnerability |
VCID-6dya-2u73-vbee |
|
| 11 |
| vulnerability |
VCID-6kbf-zmzu-xbgt |
|
| 12 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 13 |
| vulnerability |
VCID-8ekh-fbbj-5yfb |
|
| 14 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 15 |
| vulnerability |
VCID-bub5-f9wf-57d4 |
|
| 16 |
| vulnerability |
VCID-cs4b-u9hn-9ugy |
|
| 17 |
| vulnerability |
VCID-dckx-y9zp-d7fy |
|
| 18 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 19 |
| vulnerability |
VCID-dt1x-6344-fkda |
|
| 20 |
| vulnerability |
VCID-dwgd-79t9-d7a1 |
|
| 21 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 22 |
| vulnerability |
VCID-fkdm-gq5h-rbg7 |
|
| 23 |
| vulnerability |
VCID-ghak-3963-juhk |
|
| 24 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 25 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 26 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 27 |
| vulnerability |
VCID-hzvd-ugxf-9fcd |
|
| 28 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 29 |
| vulnerability |
VCID-jhzk-d1en-gkhj |
|
| 30 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 31 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 32 |
| vulnerability |
VCID-kbc1-6psh-17d8 |
|
| 33 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 34 |
| vulnerability |
VCID-mt5g-24m9-tfbg |
|
| 35 |
| vulnerability |
VCID-nw1y-zwsy-auff |
|
| 36 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 37 |
| vulnerability |
VCID-pr4d-pmh8-yfeh |
|
| 38 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 39 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 40 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 41 |
| vulnerability |
VCID-tv3h-kxj7-u7ct |
|
| 42 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 43 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 44 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 45 |
| vulnerability |
VCID-uya7-2sk1-6uat |
|
| 46 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 47 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 48 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 49 |
| vulnerability |
VCID-w6nc-88yg-dkem |
|
| 50 |
| vulnerability |
VCID-wcb5-wnjf-5uhm |
|
| 51 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 52 |
| vulnerability |
VCID-xk8n-4az9-zfh3 |
|
| 53 |
| vulnerability |
VCID-xmxb-sg5r-ufbt |
|
| 54 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 55 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
| 56 |
| vulnerability |
VCID-y5qk-qy59-23hn |
|
| 57 |
| vulnerability |
VCID-zdyb-dh4t-5kam |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@23.0.3 |
|
|
| aliases |
CVE-2023-6134, GHSA-cvg2-7c3j-g36j
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-k6ct-rgvj-t3an |
|
| 40 |
| url |
VCID-kbc1-6psh-17d8 |
| vulnerability_id |
VCID-kbc1-6psh-17d8 |
| summary |
Keycloak path transversal vulnerability in redirection validation
A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain or possibly conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field. |
| references |
| 0 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:1860 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-23T18:37:10Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:1860 |
|
| 1 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:1861 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-23T18:37:10Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:1861 |
|
| 2 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:1862 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-23T18:37:10Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:1862 |
|
| 3 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:1864 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-23T18:37:10Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:1864 |
|
| 4 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:1866 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-23T18:37:10Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:1866 |
|
| 5 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:1867 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-23T18:37:10Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:1867 |
|
| 6 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:1868 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-23T18:37:10Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:1868 |
|
| 7 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:2945 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-23T18:37:10Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:2945 |
|
| 8 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:3752 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-23T18:37:10Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:3752 |
|
| 9 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:3762 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-23T18:37:10Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:3762 |
|
| 10 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:3919 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-23T18:37:10Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:3919 |
|
| 11 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:3989 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-23T18:37:10Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:3989 |
|
| 12 |
|
| 13 |
|
| 14 |
| reference_url |
https://bugzilla.redhat.com/show_bug.cgi?id=2262117 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-23T18:37:10Z/ |
|
|
| url |
https://bugzilla.redhat.com/show_bug.cgi?id=2262117 |
|
| 15 |
| reference_url |
https://github.com/keycloak/keycloak |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/keycloak/keycloak |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
| reference_url |
https://access.redhat.com/security/cve/CVE-2024-1132 |
| reference_id |
CVE-2024-1132 |
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-23T18:37:10Z/ |
|
|
| url |
https://access.redhat.com/security/cve/CVE-2024-1132 |
|
| 40 |
|
| 41 |
|
| 42 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-services@24.0.3 |
| purl |
pkg:maven/org.keycloak/keycloak-services@24.0.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-1u7p-4qg4-yqbv |
|
| 3 |
| vulnerability |
VCID-2xg4-ad4r-4kce |
|
| 4 |
| vulnerability |
VCID-36v6-qmgy-j3cv |
|
| 5 |
| vulnerability |
VCID-3adr-h63v-c3eg |
|
| 6 |
| vulnerability |
VCID-4hs9-48uu-8qbf |
|
| 7 |
| vulnerability |
VCID-66zv-ra8w-s3b4 |
|
| 8 |
| vulnerability |
VCID-6dya-2u73-vbee |
|
| 9 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 10 |
| vulnerability |
VCID-8ekh-fbbj-5yfb |
|
| 11 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 12 |
| vulnerability |
VCID-bub5-f9wf-57d4 |
|
| 13 |
| vulnerability |
VCID-cs4b-u9hn-9ugy |
|
| 14 |
| vulnerability |
VCID-dckx-y9zp-d7fy |
|
| 15 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 16 |
| vulnerability |
VCID-dwgd-79t9-d7a1 |
|
| 17 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 18 |
| vulnerability |
VCID-fkdm-gq5h-rbg7 |
|
| 19 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 20 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 21 |
| vulnerability |
VCID-hzvd-ugxf-9fcd |
|
| 22 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 23 |
| vulnerability |
VCID-jhzk-d1en-gkhj |
|
| 24 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 25 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 26 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 27 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 28 |
| vulnerability |
VCID-pr4d-pmh8-yfeh |
|
| 29 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 30 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 31 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 32 |
| vulnerability |
VCID-tv3h-kxj7-u7ct |
|
| 33 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 34 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 35 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 36 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 37 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 38 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 39 |
| vulnerability |
VCID-w6nc-88yg-dkem |
|
| 40 |
| vulnerability |
VCID-wcb5-wnjf-5uhm |
|
| 41 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 42 |
| vulnerability |
VCID-xk8n-4az9-zfh3 |
|
| 43 |
| vulnerability |
VCID-xmxb-sg5r-ufbt |
|
| 44 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 45 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
| 46 |
| vulnerability |
VCID-zdyb-dh4t-5kam |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@24.0.3 |
|
|
| aliases |
CVE-2024-1132, GHSA-72vp-xfrc-42xm
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-kbc1-6psh-17d8 |
|
| 41 |
| url |
VCID-kf26-bvty-a3g9 |
| vulnerability_id |
VCID-kf26-bvty-a3g9 |
| summary |
Client Spoofing within the Keycloak Device Authorisation Grant
Under certain pre-conditions the vulnerability allows an attacker to spoof parts of the device flow and use a device_code to retrieve an access token for other OAuth clients. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@21.1.2 |
| purl |
pkg:maven/org.keycloak/keycloak-services@21.1.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-1u7p-4qg4-yqbv |
|
| 3 |
| vulnerability |
VCID-2kyy-pzzx-n7gr |
|
| 4 |
| vulnerability |
VCID-2xg4-ad4r-4kce |
|
| 5 |
| vulnerability |
VCID-2xvq-t8jp-zfbj |
|
| 6 |
| vulnerability |
VCID-36v6-qmgy-j3cv |
|
| 7 |
| vulnerability |
VCID-3adr-h63v-c3eg |
|
| 8 |
| vulnerability |
VCID-4hs9-48uu-8qbf |
|
| 9 |
| vulnerability |
VCID-66zv-ra8w-s3b4 |
|
| 10 |
| vulnerability |
VCID-6dya-2u73-vbee |
|
| 11 |
| vulnerability |
VCID-6kbf-zmzu-xbgt |
|
| 12 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 13 |
| vulnerability |
VCID-8ekh-fbbj-5yfb |
|
| 14 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 15 |
| vulnerability |
VCID-bub5-f9wf-57d4 |
|
| 16 |
| vulnerability |
VCID-cs4b-u9hn-9ugy |
|
| 17 |
| vulnerability |
VCID-dckx-y9zp-d7fy |
|
| 18 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 19 |
| vulnerability |
VCID-dt1x-6344-fkda |
|
| 20 |
| vulnerability |
VCID-dwgd-79t9-d7a1 |
|
| 21 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 22 |
| vulnerability |
VCID-fkdm-gq5h-rbg7 |
|
| 23 |
| vulnerability |
VCID-ghak-3963-juhk |
|
| 24 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 25 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 26 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 27 |
| vulnerability |
VCID-hzvd-ugxf-9fcd |
|
| 28 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 29 |
| vulnerability |
VCID-jhzk-d1en-gkhj |
|
| 30 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 31 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 32 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 33 |
| vulnerability |
VCID-kbc1-6psh-17d8 |
|
| 34 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 35 |
| vulnerability |
VCID-m24y-x4sk-2yd6 |
|
| 36 |
| vulnerability |
VCID-mt5g-24m9-tfbg |
|
| 37 |
| vulnerability |
VCID-nw1y-zwsy-auff |
|
| 38 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 39 |
| vulnerability |
VCID-pr4d-pmh8-yfeh |
|
| 40 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 41 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 42 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 43 |
| vulnerability |
VCID-tv3h-kxj7-u7ct |
|
| 44 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 45 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 46 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 47 |
| vulnerability |
VCID-uya7-2sk1-6uat |
|
| 48 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 49 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 50 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 51 |
| vulnerability |
VCID-w6nc-88yg-dkem |
|
| 52 |
| vulnerability |
VCID-wcb5-wnjf-5uhm |
|
| 53 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 54 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 55 |
| vulnerability |
VCID-xk8n-4az9-zfh3 |
|
| 56 |
| vulnerability |
VCID-xmxb-sg5r-ufbt |
|
| 57 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 58 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
| 59 |
| vulnerability |
VCID-y5qk-qy59-23hn |
|
| 60 |
| vulnerability |
VCID-zdyb-dh4t-5kam |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@21.1.2 |
|
|
| aliases |
CVE-2023-2585, GHSA-f5h4-wmp5-xhg6
|
| risk_score |
1.6 |
| exploitability |
0.5 |
| weighted_severity |
3.1 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-kf26-bvty-a3g9 |
|
| 42 |
| url |
VCID-kmna-8rms-2bez |
| vulnerability_id |
VCID-kmna-8rms-2bez |
| summary |
Keycloak allows authentication using an Identity Provider (IdP) even after it has been disabled by an administrator
A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider (IdP) even after it has been disabled by an administrator. An attacker who knows the IdP alias can reuse a previously generated login request to bypass the administrative restriction. This undermines access control enforcement and may allow unauthorized authentication through a disabled external provider. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-3009, GHSA-m297-3jv9-m927
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-kmna-8rms-2bez |
|
| 43 |
| url |
VCID-m24y-x4sk-2yd6 |
| vulnerability_id |
VCID-m24y-x4sk-2yd6 |
| summary |
Keycloak vulnerable to LDAP Injection on UsernameForm Login
A flaw was found in the Keycloak package. This flaw allows an attacker to benefit from an LDAP query and access existing usernames in the server. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@23.0.1 |
| purl |
pkg:maven/org.keycloak/keycloak-services@23.0.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-1u7p-4qg4-yqbv |
|
| 3 |
| vulnerability |
VCID-2kyy-pzzx-n7gr |
|
| 4 |
| vulnerability |
VCID-2xg4-ad4r-4kce |
|
| 5 |
| vulnerability |
VCID-2xvq-t8jp-zfbj |
|
| 6 |
| vulnerability |
VCID-36v6-qmgy-j3cv |
|
| 7 |
| vulnerability |
VCID-3adr-h63v-c3eg |
|
| 8 |
| vulnerability |
VCID-4hs9-48uu-8qbf |
|
| 9 |
| vulnerability |
VCID-66zv-ra8w-s3b4 |
|
| 10 |
| vulnerability |
VCID-6dya-2u73-vbee |
|
| 11 |
| vulnerability |
VCID-6kbf-zmzu-xbgt |
|
| 12 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 13 |
| vulnerability |
VCID-8ekh-fbbj-5yfb |
|
| 14 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 15 |
| vulnerability |
VCID-bub5-f9wf-57d4 |
|
| 16 |
| vulnerability |
VCID-cs4b-u9hn-9ugy |
|
| 17 |
| vulnerability |
VCID-dckx-y9zp-d7fy |
|
| 18 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 19 |
| vulnerability |
VCID-dt1x-6344-fkda |
|
| 20 |
| vulnerability |
VCID-dwgd-79t9-d7a1 |
|
| 21 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 22 |
| vulnerability |
VCID-fkdm-gq5h-rbg7 |
|
| 23 |
| vulnerability |
VCID-ghak-3963-juhk |
|
| 24 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 25 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 26 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 27 |
| vulnerability |
VCID-hzvd-ugxf-9fcd |
|
| 28 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 29 |
| vulnerability |
VCID-jhzk-d1en-gkhj |
|
| 30 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 31 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 32 |
| vulnerability |
VCID-kbc1-6psh-17d8 |
|
| 33 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 34 |
| vulnerability |
VCID-mt5g-24m9-tfbg |
|
| 35 |
| vulnerability |
VCID-nw1y-zwsy-auff |
|
| 36 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 37 |
| vulnerability |
VCID-pr4d-pmh8-yfeh |
|
| 38 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 39 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 40 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 41 |
| vulnerability |
VCID-tv3h-kxj7-u7ct |
|
| 42 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 43 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 44 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 45 |
| vulnerability |
VCID-uya7-2sk1-6uat |
|
| 46 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 47 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 48 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 49 |
| vulnerability |
VCID-w6nc-88yg-dkem |
|
| 50 |
| vulnerability |
VCID-wcb5-wnjf-5uhm |
|
| 51 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 52 |
| vulnerability |
VCID-xk8n-4az9-zfh3 |
|
| 53 |
| vulnerability |
VCID-xmxb-sg5r-ufbt |
|
| 54 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 55 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
| 56 |
| vulnerability |
VCID-y5qk-qy59-23hn |
|
| 57 |
| vulnerability |
VCID-zdyb-dh4t-5kam |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@23.0.1 |
|
|
| aliases |
CVE-2022-2232, GHSA-8hc5-rmgf-qx6p
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-m24y-x4sk-2yd6 |
|
| 44 |
| url |
VCID-mt5g-24m9-tfbg |
| vulnerability_id |
VCID-mt5g-24m9-tfbg |
| summary |
Keycloak vulnerable to session hijacking via re-authentication
A flaw was found in Keycloak. An active keycloak session can be hijacked by initiating a new authentication (having the query parameter prompt=login) and forcing the user to enter his credentials once again. If the user cancels this re-authentication by clicking Restart login, the account takeover could take place as the new session, with a different SUB, will have the same SID as the previous session. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-services@24.0.3 |
| purl |
pkg:maven/org.keycloak/keycloak-services@24.0.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-1u7p-4qg4-yqbv |
|
| 3 |
| vulnerability |
VCID-2xg4-ad4r-4kce |
|
| 4 |
| vulnerability |
VCID-36v6-qmgy-j3cv |
|
| 5 |
| vulnerability |
VCID-3adr-h63v-c3eg |
|
| 6 |
| vulnerability |
VCID-4hs9-48uu-8qbf |
|
| 7 |
| vulnerability |
VCID-66zv-ra8w-s3b4 |
|
| 8 |
| vulnerability |
VCID-6dya-2u73-vbee |
|
| 9 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 10 |
| vulnerability |
VCID-8ekh-fbbj-5yfb |
|
| 11 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 12 |
| vulnerability |
VCID-bub5-f9wf-57d4 |
|
| 13 |
| vulnerability |
VCID-cs4b-u9hn-9ugy |
|
| 14 |
| vulnerability |
VCID-dckx-y9zp-d7fy |
|
| 15 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 16 |
| vulnerability |
VCID-dwgd-79t9-d7a1 |
|
| 17 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 18 |
| vulnerability |
VCID-fkdm-gq5h-rbg7 |
|
| 19 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 20 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 21 |
| vulnerability |
VCID-hzvd-ugxf-9fcd |
|
| 22 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 23 |
| vulnerability |
VCID-jhzk-d1en-gkhj |
|
| 24 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 25 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 26 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 27 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 28 |
| vulnerability |
VCID-pr4d-pmh8-yfeh |
|
| 29 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 30 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 31 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 32 |
| vulnerability |
VCID-tv3h-kxj7-u7ct |
|
| 33 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 34 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 35 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 36 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 37 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 38 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 39 |
| vulnerability |
VCID-w6nc-88yg-dkem |
|
| 40 |
| vulnerability |
VCID-wcb5-wnjf-5uhm |
|
| 41 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 42 |
| vulnerability |
VCID-xk8n-4az9-zfh3 |
|
| 43 |
| vulnerability |
VCID-xmxb-sg5r-ufbt |
|
| 44 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 45 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
| 46 |
| vulnerability |
VCID-zdyb-dh4t-5kam |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@24.0.3 |
|
|
| aliases |
CVE-2023-6787, GHSA-c9h6-v78w-52wj
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-mt5g-24m9-tfbg |
|
| 45 |
| url |
VCID-nw1y-zwsy-auff |
| vulnerability_id |
VCID-nw1y-zwsy-auff |
| summary |
Keycloak vulnerable to log Injection during WebAuthn authentication or registration
A flaw was found in keycloak 22.0.5. Errors in browser client during setup/auth with "Security Key login" (WebAuthn) are written into the form, send to Keycloak and logged without escaping allowing log injection.
Acknowledgements:
Special thanks toTheresa Henze for reporting this issue and helping us improve our security. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-services@23.0.5 |
| purl |
pkg:maven/org.keycloak/keycloak-services@23.0.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-1u7p-4qg4-yqbv |
|
| 3 |
| vulnerability |
VCID-2kyy-pzzx-n7gr |
|
| 4 |
| vulnerability |
VCID-2xg4-ad4r-4kce |
|
| 5 |
| vulnerability |
VCID-2xvq-t8jp-zfbj |
|
| 6 |
| vulnerability |
VCID-36v6-qmgy-j3cv |
|
| 7 |
| vulnerability |
VCID-3adr-h63v-c3eg |
|
| 8 |
| vulnerability |
VCID-4hs9-48uu-8qbf |
|
| 9 |
| vulnerability |
VCID-66zv-ra8w-s3b4 |
|
| 10 |
| vulnerability |
VCID-6dya-2u73-vbee |
|
| 11 |
| vulnerability |
VCID-6kbf-zmzu-xbgt |
|
| 12 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 13 |
| vulnerability |
VCID-8ekh-fbbj-5yfb |
|
| 14 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 15 |
| vulnerability |
VCID-bub5-f9wf-57d4 |
|
| 16 |
| vulnerability |
VCID-cs4b-u9hn-9ugy |
|
| 17 |
| vulnerability |
VCID-dckx-y9zp-d7fy |
|
| 18 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 19 |
| vulnerability |
VCID-dt1x-6344-fkda |
|
| 20 |
| vulnerability |
VCID-dwgd-79t9-d7a1 |
|
| 21 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 22 |
| vulnerability |
VCID-fkdm-gq5h-rbg7 |
|
| 23 |
| vulnerability |
VCID-ghak-3963-juhk |
|
| 24 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 25 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 26 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 27 |
| vulnerability |
VCID-hzvd-ugxf-9fcd |
|
| 28 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 29 |
| vulnerability |
VCID-jhzk-d1en-gkhj |
|
| 30 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 31 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 32 |
| vulnerability |
VCID-kbc1-6psh-17d8 |
|
| 33 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 34 |
| vulnerability |
VCID-mt5g-24m9-tfbg |
|
| 35 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 36 |
| vulnerability |
VCID-pr4d-pmh8-yfeh |
|
| 37 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 38 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 39 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 40 |
| vulnerability |
VCID-tv3h-kxj7-u7ct |
|
| 41 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 42 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 43 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 44 |
| vulnerability |
VCID-uya7-2sk1-6uat |
|
| 45 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 46 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 47 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 48 |
| vulnerability |
VCID-w6nc-88yg-dkem |
|
| 49 |
| vulnerability |
VCID-wcb5-wnjf-5uhm |
|
| 50 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 51 |
| vulnerability |
VCID-xk8n-4az9-zfh3 |
|
| 52 |
| vulnerability |
VCID-xmxb-sg5r-ufbt |
|
| 53 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 54 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
| 55 |
| vulnerability |
VCID-y5qk-qy59-23hn |
|
| 56 |
| vulnerability |
VCID-zdyb-dh4t-5kam |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@23.0.5 |
|
|
| aliases |
CVE-2023-6484, GHSA-j628-q885-8gr5
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-nw1y-zwsy-auff |
|
| 46 |
|
| 47 |
| url |
VCID-pr4d-pmh8-yfeh |
| vulnerability_id |
VCID-pr4d-pmh8-yfeh |
| summary |
Keycloak Denial of Service (DoS) Vulnerability via JWT Token Cache
A flaw was found in Keycloak. When the configuration uses JWT tokens for authentication, the tokens are cached until expiration. If a client uses JWT tokens with an excessively long expiration time, for example, 24 or 48 hours, the cache can grow indefinitely, leading to an OutOfMemoryError. This issue could result in a denial of service condition, preventing legitimate users from accessing the system. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@26.1.5 |
| purl |
pkg:maven/org.keycloak/keycloak-services@26.1.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-1u7p-4qg4-yqbv |
|
| 3 |
| vulnerability |
VCID-3adr-h63v-c3eg |
|
| 4 |
| vulnerability |
VCID-6dya-2u73-vbee |
|
| 5 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 6 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 7 |
| vulnerability |
VCID-dckx-y9zp-d7fy |
|
| 8 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 9 |
| vulnerability |
VCID-dwgd-79t9-d7a1 |
|
| 10 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 11 |
| vulnerability |
VCID-fkdm-gq5h-rbg7 |
|
| 12 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 13 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 14 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 15 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 16 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 17 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 18 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 19 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 20 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 21 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 22 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 23 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 24 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 25 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 26 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 27 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 28 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 29 |
| vulnerability |
VCID-xk8n-4az9-zfh3 |
|
| 30 |
| vulnerability |
VCID-xmxb-sg5r-ufbt |
|
| 31 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 32 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@26.1.5 |
|
|
| aliases |
CVE-2025-2559, GHSA-2935-2wfm-hhpv
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-pr4d-pmh8-yfeh |
|
| 48 |
| url |
VCID-s9bw-xmnt-xqbp |
| vulnerability_id |
VCID-s9bw-xmnt-xqbp |
| summary |
Keycloak's missing timestamp validation allows attackers to extend SAML response validity periods
A flaw was found in Keycloak's SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the `NotOnOrAfter` timestamp within the `SubjectConfirmationData`. This allows an attacker to delay the expiration of SAML responses, potentially extending the time a response is considered valid and leading to unexpected session durations or resource consumption. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@26.5.3 |
| purl |
pkg:maven/org.keycloak/keycloak-services@26.5.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 2 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 3 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 4 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 5 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 6 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 7 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 8 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 9 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 10 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 11 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 12 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 13 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 14 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 15 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 16 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 17 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 18 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@26.5.3 |
|
|
| aliases |
CVE-2026-1190, GHSA-63v5-26vq-m4vm
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-s9bw-xmnt-xqbp |
|
| 49 |
|
| 50 |
|
| 51 |
| url |
VCID-tv3h-kxj7-u7ct |
| vulnerability_id |
VCID-tv3h-kxj7-u7ct |
| summary |
Keycloak phishing attack via email verification step in first login flow
There is a flaw with the first login flow where, during a IdP login, an attacker with a registered account can initiate the process to merge accounts with an existing victim's account. The attacker will subsequently be prompted to "review profile" information, which allows the the attacker to modify their email address to that of a victim's account. This triggers a verification email sent to the victim's email address. If the victim clicks the verification link, the attacker can gain access to the victim's account. While not a zero-interaction attack, the attacker's email address is not directly present in the verification email content, making it a potential phishing opportunity.
This issue has been fixed in versions 26.0.13, 26.2.6, and 26.3.0. |
| references |
| 0 |
| reference_url |
https://access.redhat.com/errata/RHSA-2025:11986 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-10T20:16:26Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2025:11986 |
|
| 1 |
| reference_url |
https://access.redhat.com/errata/RHSA-2025:11987 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-10T20:16:26Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2025:11987 |
|
| 2 |
| reference_url |
https://access.redhat.com/errata/RHSA-2025:12015 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-10T20:16:26Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2025:12015 |
|
| 3 |
| reference_url |
https://access.redhat.com/errata/RHSA-2025:12016 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-10T20:16:26Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2025:12016 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://bugzilla.redhat.com/show_bug.cgi?id=2378852 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-10T20:16:26Z/ |
|
|
| url |
https://bugzilla.redhat.com/show_bug.cgi?id=2378852 |
|
| 7 |
|
| 8 |
| reference_url |
https://github.com/keycloak/keycloak/issues/40446 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-10T20:16:26Z/ |
|
|
| url |
https://github.com/keycloak/keycloak/issues/40446 |
|
| 9 |
| reference_url |
https://github.com/keycloak/keycloak/pull/40520 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-10T20:16:26Z/ |
|
|
| url |
https://github.com/keycloak/keycloak/pull/40520 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
| reference_url |
https://access.redhat.com/security/cve/CVE-2025-7365 |
| reference_id |
CVE-2025-7365 |
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-10T20:16:26Z/ |
|
|
| url |
https://access.redhat.com/security/cve/CVE-2025-7365 |
|
| 16 |
|
| 17 |
|
| 18 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-services@26.1.0 |
| purl |
pkg:maven/org.keycloak/keycloak-services@26.1.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-1u7p-4qg4-yqbv |
|
| 3 |
| vulnerability |
VCID-3adr-h63v-c3eg |
|
| 4 |
| vulnerability |
VCID-6dya-2u73-vbee |
|
| 5 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 6 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 7 |
| vulnerability |
VCID-dckx-y9zp-d7fy |
|
| 8 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 9 |
| vulnerability |
VCID-dwgd-79t9-d7a1 |
|
| 10 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 11 |
| vulnerability |
VCID-fkdm-gq5h-rbg7 |
|
| 12 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 13 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 14 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 15 |
| vulnerability |
VCID-jhzk-d1en-gkhj |
|
| 16 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 17 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 18 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 19 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 20 |
| vulnerability |
VCID-pr4d-pmh8-yfeh |
|
| 21 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 22 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 23 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 24 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 25 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 26 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 27 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 28 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 29 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 30 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 31 |
| vulnerability |
VCID-xk8n-4az9-zfh3 |
|
| 32 |
| vulnerability |
VCID-xmxb-sg5r-ufbt |
|
| 33 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 34 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@26.1.0 |
|
| 2 |
|
| 3 |
| url |
pkg:maven/org.keycloak/keycloak-services@26.3.0 |
| purl |
pkg:maven/org.keycloak/keycloak-services@26.3.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 3 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 4 |
| vulnerability |
VCID-bw6h-4h9x-rbab |
|
| 5 |
| vulnerability |
VCID-c58s-s3rb-27fw |
|
| 6 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 7 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 8 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 9 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 10 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 11 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 12 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 13 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 14 |
| vulnerability |
VCID-pgjk-vhx6-yqbt |
|
| 15 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 16 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 17 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 18 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 19 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 20 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 21 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 22 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 23 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 24 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 25 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 26 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 27 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@26.3.0 |
|
|
| aliases |
CVE-2025-7365, GHSA-xhpr-465j-7p9q
|
| risk_score |
3.2 |
| exploitability |
0.5 |
| weighted_severity |
6.4 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-tv3h-kxj7-u7ct |
|
| 52 |
|
| 53 |
|
| 54 |
| url |
VCID-ugpk-g4qu-x3b5 |
| vulnerability_id |
VCID-ugpk-g4qu-x3b5 |
| summary |
Keycloak vulnerable to user impersonation via stolen UUID code
Keycloak's OpenID Connect user authentication was found to incorrectly authenticate requests. An authenticated attacker who could also obtain a certain piece of info from a user request, from a victim within the same realm, could use that data to impersonate the victim and generate new session tokens. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@19.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-services@19.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-1u7p-4qg4-yqbv |
|
| 3 |
| vulnerability |
VCID-2kyy-pzzx-n7gr |
|
| 4 |
| vulnerability |
VCID-2xg4-ad4r-4kce |
|
| 5 |
| vulnerability |
VCID-2xvq-t8jp-zfbj |
|
| 6 |
| vulnerability |
VCID-36v6-qmgy-j3cv |
|
| 7 |
| vulnerability |
VCID-3adr-h63v-c3eg |
|
| 8 |
| vulnerability |
VCID-4hs9-48uu-8qbf |
|
| 9 |
| vulnerability |
VCID-66zv-ra8w-s3b4 |
|
| 10 |
| vulnerability |
VCID-6dya-2u73-vbee |
|
| 11 |
| vulnerability |
VCID-6kbf-zmzu-xbgt |
|
| 12 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 13 |
| vulnerability |
VCID-8ekh-fbbj-5yfb |
|
| 14 |
| vulnerability |
VCID-asmd-x6cy-dqdt |
|
| 15 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 16 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 17 |
| vulnerability |
VCID-bub5-f9wf-57d4 |
|
| 18 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 19 |
| vulnerability |
VCID-cs4b-u9hn-9ugy |
|
| 20 |
| vulnerability |
VCID-dckx-y9zp-d7fy |
|
| 21 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 22 |
| vulnerability |
VCID-dt1x-6344-fkda |
|
| 23 |
| vulnerability |
VCID-dwgd-79t9-d7a1 |
|
| 24 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 25 |
| vulnerability |
VCID-fkdm-gq5h-rbg7 |
|
| 26 |
| vulnerability |
VCID-ghak-3963-juhk |
|
| 27 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 28 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 29 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 30 |
| vulnerability |
VCID-hzvd-ugxf-9fcd |
|
| 31 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 32 |
| vulnerability |
VCID-jhzk-d1en-gkhj |
|
| 33 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 34 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 35 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 36 |
| vulnerability |
VCID-kbc1-6psh-17d8 |
|
| 37 |
| vulnerability |
VCID-kf26-bvty-a3g9 |
|
| 38 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 39 |
| vulnerability |
VCID-m24y-x4sk-2yd6 |
|
| 40 |
| vulnerability |
VCID-mt5g-24m9-tfbg |
|
| 41 |
| vulnerability |
VCID-nw1y-zwsy-auff |
|
| 42 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 43 |
| vulnerability |
VCID-pr4d-pmh8-yfeh |
|
| 44 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 45 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 46 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 47 |
| vulnerability |
VCID-tv3h-kxj7-u7ct |
|
| 48 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 49 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 50 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 51 |
| vulnerability |
VCID-uya7-2sk1-6uat |
|
| 52 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 53 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 54 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 55 |
| vulnerability |
VCID-w6nc-88yg-dkem |
|
| 56 |
| vulnerability |
VCID-wcb5-wnjf-5uhm |
|
| 57 |
| vulnerability |
VCID-wxaq-rrqq-pyah |
|
| 58 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 59 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 60 |
| vulnerability |
VCID-xk8n-4az9-zfh3 |
|
| 61 |
| vulnerability |
VCID-xmxb-sg5r-ufbt |
|
| 62 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 63 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
| 64 |
| vulnerability |
VCID-y5qk-qy59-23hn |
|
| 65 |
| vulnerability |
VCID-zdyb-dh4t-5kam |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@19.0.0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-services@21.0.1 |
| purl |
pkg:maven/org.keycloak/keycloak-services@21.0.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-1u7p-4qg4-yqbv |
|
| 3 |
| vulnerability |
VCID-2kyy-pzzx-n7gr |
|
| 4 |
| vulnerability |
VCID-2xg4-ad4r-4kce |
|
| 5 |
| vulnerability |
VCID-2xvq-t8jp-zfbj |
|
| 6 |
| vulnerability |
VCID-36v6-qmgy-j3cv |
|
| 7 |
| vulnerability |
VCID-3adr-h63v-c3eg |
|
| 8 |
| vulnerability |
VCID-4hs9-48uu-8qbf |
|
| 9 |
| vulnerability |
VCID-66zv-ra8w-s3b4 |
|
| 10 |
| vulnerability |
VCID-6dya-2u73-vbee |
|
| 11 |
| vulnerability |
VCID-6kbf-zmzu-xbgt |
|
| 12 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 13 |
| vulnerability |
VCID-8ekh-fbbj-5yfb |
|
| 14 |
| vulnerability |
VCID-asmd-x6cy-dqdt |
|
| 15 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 16 |
| vulnerability |
VCID-bub5-f9wf-57d4 |
|
| 17 |
| vulnerability |
VCID-cs4b-u9hn-9ugy |
|
| 18 |
| vulnerability |
VCID-dckx-y9zp-d7fy |
|
| 19 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 20 |
| vulnerability |
VCID-dt1x-6344-fkda |
|
| 21 |
| vulnerability |
VCID-dwgd-79t9-d7a1 |
|
| 22 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 23 |
| vulnerability |
VCID-fkdm-gq5h-rbg7 |
|
| 24 |
| vulnerability |
VCID-ghak-3963-juhk |
|
| 25 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 26 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 27 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 28 |
| vulnerability |
VCID-hzvd-ugxf-9fcd |
|
| 29 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 30 |
| vulnerability |
VCID-jhzk-d1en-gkhj |
|
| 31 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 32 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 33 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 34 |
| vulnerability |
VCID-kbc1-6psh-17d8 |
|
| 35 |
| vulnerability |
VCID-kf26-bvty-a3g9 |
|
| 36 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 37 |
| vulnerability |
VCID-m24y-x4sk-2yd6 |
|
| 38 |
| vulnerability |
VCID-mt5g-24m9-tfbg |
|
| 39 |
| vulnerability |
VCID-nw1y-zwsy-auff |
|
| 40 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 41 |
| vulnerability |
VCID-pr4d-pmh8-yfeh |
|
| 42 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 43 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 44 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 45 |
| vulnerability |
VCID-tv3h-kxj7-u7ct |
|
| 46 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 47 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 48 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 49 |
| vulnerability |
VCID-uya7-2sk1-6uat |
|
| 50 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 51 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 52 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 53 |
| vulnerability |
VCID-w6nc-88yg-dkem |
|
| 54 |
| vulnerability |
VCID-wcb5-wnjf-5uhm |
|
| 55 |
| vulnerability |
VCID-wxaq-rrqq-pyah |
|
| 56 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 57 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 58 |
| vulnerability |
VCID-xk8n-4az9-zfh3 |
|
| 59 |
| vulnerability |
VCID-xmxb-sg5r-ufbt |
|
| 60 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 61 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
| 62 |
| vulnerability |
VCID-y5qk-qy59-23hn |
|
| 63 |
| vulnerability |
VCID-zdyb-dh4t-5kam |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@21.0.1 |
|
|
| aliases |
CVE-2023-0264, GHSA-9g98-5mj6-f9mv, GMS-2023-573
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ugpk-g4qu-x3b5 |
|
| 55 |
|
| 56 |
| url |
VCID-uya7-2sk1-6uat |
| vulnerability_id |
VCID-uya7-2sk1-6uat |
| summary |
Keycloak secondary factor bypass in step-up authentication
Keycloak does not correctly validate its client step-up authentication. A password-authed attacker could use this flaw to register a false second auth factor, alongside the existing one, to a targeted account. The second factor then permits step-up authentication. |
| references |
| 0 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:1866 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L |
|
| 1 |
| value |
5.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-02T15:08:53Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:1866 |
|
| 1 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:1867 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L |
|
| 1 |
| value |
5.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-02T15:08:53Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:1867 |
|
| 2 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:1868 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L |
|
| 1 |
| value |
5.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-02T15:08:53Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:1868 |
|
| 3 |
|
| 4 |
| reference_url |
https://access.redhat.com/security/cve/CVE-2023-3597 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L |
|
| 1 |
| value |
5.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-02T15:08:53Z/ |
|
|
| url |
https://access.redhat.com/security/cve/CVE-2023-3597 |
|
| 5 |
|
| 6 |
| reference_url |
https://bugzilla.redhat.com/show_bug.cgi?id=2221760 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L |
|
| 1 |
| value |
5.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-02T15:08:53Z/ |
|
|
| url |
https://bugzilla.redhat.com/show_bug.cgi?id=2221760 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-services@24.0.3 |
| purl |
pkg:maven/org.keycloak/keycloak-services@24.0.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-1u7p-4qg4-yqbv |
|
| 3 |
| vulnerability |
VCID-2xg4-ad4r-4kce |
|
| 4 |
| vulnerability |
VCID-36v6-qmgy-j3cv |
|
| 5 |
| vulnerability |
VCID-3adr-h63v-c3eg |
|
| 6 |
| vulnerability |
VCID-4hs9-48uu-8qbf |
|
| 7 |
| vulnerability |
VCID-66zv-ra8w-s3b4 |
|
| 8 |
| vulnerability |
VCID-6dya-2u73-vbee |
|
| 9 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 10 |
| vulnerability |
VCID-8ekh-fbbj-5yfb |
|
| 11 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 12 |
| vulnerability |
VCID-bub5-f9wf-57d4 |
|
| 13 |
| vulnerability |
VCID-cs4b-u9hn-9ugy |
|
| 14 |
| vulnerability |
VCID-dckx-y9zp-d7fy |
|
| 15 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 16 |
| vulnerability |
VCID-dwgd-79t9-d7a1 |
|
| 17 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 18 |
| vulnerability |
VCID-fkdm-gq5h-rbg7 |
|
| 19 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 20 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 21 |
| vulnerability |
VCID-hzvd-ugxf-9fcd |
|
| 22 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 23 |
| vulnerability |
VCID-jhzk-d1en-gkhj |
|
| 24 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 25 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 26 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 27 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 28 |
| vulnerability |
VCID-pr4d-pmh8-yfeh |
|
| 29 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 30 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 31 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 32 |
| vulnerability |
VCID-tv3h-kxj7-u7ct |
|
| 33 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 34 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 35 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 36 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 37 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 38 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 39 |
| vulnerability |
VCID-w6nc-88yg-dkem |
|
| 40 |
| vulnerability |
VCID-wcb5-wnjf-5uhm |
|
| 41 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 42 |
| vulnerability |
VCID-xk8n-4az9-zfh3 |
|
| 43 |
| vulnerability |
VCID-xmxb-sg5r-ufbt |
|
| 44 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 45 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
| 46 |
| vulnerability |
VCID-zdyb-dh4t-5kam |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@24.0.3 |
|
|
| aliases |
CVE-2023-3597, GHSA-4f53-xh3v-g8x4
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-uya7-2sk1-6uat |
|
| 57 |
|
| 58 |
| url |
VCID-vdjk-2v9a-xfdk |
| vulnerability_id |
VCID-vdjk-2v9a-xfdk |
| summary |
Keycloak Admin REST (Representational State Transfer) API does not properly enforce permissions
A flaw was found in Keycloak Admin REST (Representational State Transfer) API. This vulnerability allows information disclosure of sensitive role metadata via insufficient authorization checks on the /admin/realms/{realm}/roles endpoint. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@26.5.0 |
| purl |
pkg:maven/org.keycloak/keycloak-services@26.5.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-58n2-w8fu-u3hc |
|
| 2 |
| vulnerability |
VCID-7fd4-t5k9-mfc7 |
|
| 3 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 4 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 5 |
| vulnerability |
VCID-bw6h-4h9x-rbab |
|
| 6 |
| vulnerability |
VCID-c58s-s3rb-27fw |
|
| 7 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 8 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 9 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 10 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 11 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 12 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 13 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 14 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 15 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 16 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 17 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 18 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 19 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 20 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 21 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 22 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 23 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
| 24 |
| vulnerability |
VCID-zr12-p5eq-wubj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@26.5.0 |
|
|
| aliases |
CVE-2025-14082, GHSA-6q37-7866-h27j
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vdjk-2v9a-xfdk |
|
| 59 |
|
| 60 |
| url |
VCID-w6nc-88yg-dkem |
| vulnerability_id |
VCID-w6nc-88yg-dkem |
| summary |
Keycloak has Vulnerable Redirect URI Validation Results in Open Redirect
A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost/ or http://127.0.0.1/, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
|
| 2 |
| url |
pkg:maven/org.keycloak/keycloak-services@25.0.6 |
| purl |
pkg:maven/org.keycloak/keycloak-services@25.0.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-1u7p-4qg4-yqbv |
|
| 3 |
| vulnerability |
VCID-2xg4-ad4r-4kce |
|
| 4 |
| vulnerability |
VCID-3adr-h63v-c3eg |
|
| 5 |
| vulnerability |
VCID-6dya-2u73-vbee |
|
| 6 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 7 |
| vulnerability |
VCID-8ekh-fbbj-5yfb |
|
| 8 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 9 |
| vulnerability |
VCID-dckx-y9zp-d7fy |
|
| 10 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 11 |
| vulnerability |
VCID-dwgd-79t9-d7a1 |
|
| 12 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 13 |
| vulnerability |
VCID-fkdm-gq5h-rbg7 |
|
| 14 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 15 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 16 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 17 |
| vulnerability |
VCID-jhzk-d1en-gkhj |
|
| 18 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 19 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 20 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 21 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 22 |
| vulnerability |
VCID-pr4d-pmh8-yfeh |
|
| 23 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 24 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 25 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 26 |
| vulnerability |
VCID-tv3h-kxj7-u7ct |
|
| 27 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 28 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 29 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 30 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 31 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 32 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 33 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 34 |
| vulnerability |
VCID-xk8n-4az9-zfh3 |
|
| 35 |
| vulnerability |
VCID-xmxb-sg5r-ufbt |
|
| 36 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 37 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
| 38 |
| vulnerability |
VCID-zdyb-dh4t-5kam |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@25.0.6 |
|
|
| aliases |
CVE-2024-8883, GHSA-w8gr-xwp4-r9f7
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-w6nc-88yg-dkem |
|
| 61 |
| url |
VCID-wcb5-wnjf-5uhm |
| vulnerability_id |
VCID-wcb5-wnjf-5uhm |
| summary |
Duplicate Advisory: Keycloak has a brute force login protection bypass
## Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-gc7q-jgjv-vjr2. This link is maintained to preserve external references.
## Original Description
A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
| reference_url |
https://github.com/keycloak/keycloak |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/keycloak/keycloak |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@24.0.4 |
| purl |
pkg:maven/org.keycloak/keycloak-services@24.0.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-1u7p-4qg4-yqbv |
|
| 3 |
| vulnerability |
VCID-2xg4-ad4r-4kce |
|
| 4 |
| vulnerability |
VCID-36v6-qmgy-j3cv |
|
| 5 |
| vulnerability |
VCID-3adr-h63v-c3eg |
|
| 6 |
| vulnerability |
VCID-4hs9-48uu-8qbf |
|
| 7 |
| vulnerability |
VCID-66zv-ra8w-s3b4 |
|
| 8 |
| vulnerability |
VCID-6dya-2u73-vbee |
|
| 9 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 10 |
| vulnerability |
VCID-8ekh-fbbj-5yfb |
|
| 11 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 12 |
| vulnerability |
VCID-bub5-f9wf-57d4 |
|
| 13 |
| vulnerability |
VCID-cs4b-u9hn-9ugy |
|
| 14 |
| vulnerability |
VCID-dckx-y9zp-d7fy |
|
| 15 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 16 |
| vulnerability |
VCID-dwgd-79t9-d7a1 |
|
| 17 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 18 |
| vulnerability |
VCID-fkdm-gq5h-rbg7 |
|
| 19 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 20 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 21 |
| vulnerability |
VCID-hzvd-ugxf-9fcd |
|
| 22 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 23 |
| vulnerability |
VCID-jhzk-d1en-gkhj |
|
| 24 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 25 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 26 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 27 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 28 |
| vulnerability |
VCID-pr4d-pmh8-yfeh |
|
| 29 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 30 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 31 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 32 |
| vulnerability |
VCID-tv3h-kxj7-u7ct |
|
| 33 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 34 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 35 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 36 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 37 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 38 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 39 |
| vulnerability |
VCID-w6nc-88yg-dkem |
|
| 40 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 41 |
| vulnerability |
VCID-xk8n-4az9-zfh3 |
|
| 42 |
| vulnerability |
VCID-xmxb-sg5r-ufbt |
|
| 43 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 44 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
| 45 |
| vulnerability |
VCID-zdyb-dh4t-5kam |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@24.0.4 |
|
|
| aliases |
GHSA-8wm9-24qg-m5qj
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wcb5-wnjf-5uhm |
|
| 62 |
| url |
VCID-wxaq-rrqq-pyah |
| vulnerability_id |
VCID-wxaq-rrqq-pyah |
| summary |
Keycloak vulnerable to Improper Client Certificate Validation for OAuth/OpenID clients
When a Keycloak server is configured to support mTLS authentication for OAuth/OpenID clients, it does not properly verify the client certificate chain. A client that possesses a proper certificate can authorize itself as any other client and therefore access data that belongs to other clients. |
| references |
| 0 |
| reference_url |
https://access.redhat.com/errata/RHSA-2023:3883 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-03T18:15:34Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2023:3883 |
|
| 1 |
| reference_url |
https://access.redhat.com/errata/RHSA-2023:3884 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-03T18:15:34Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2023:3884 |
|
| 2 |
| reference_url |
https://access.redhat.com/errata/RHSA-2023:3885 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-03T18:15:34Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2023:3885 |
|
| 3 |
| reference_url |
https://access.redhat.com/errata/RHSA-2023:3888 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-03T18:15:34Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2023:3888 |
|
| 4 |
| reference_url |
https://access.redhat.com/errata/RHSA-2023:3892 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-03T18:15:34Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2023:3892 |
|
| 5 |
|
| 6 |
| reference_url |
https://access.redhat.com/security/cve/CVE-2023-2422 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-03T18:15:34Z/ |
|
|
| url |
https://access.redhat.com/security/cve/CVE-2023-2422 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
| reference_url |
https://bugzilla.redhat.com/show_bug.cgi?id=2191668 |
| reference_id |
2191668 |
| reference_type |
|
| scores |
| 0 |
| value |
5.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-03T18:15:34Z/ |
|
|
| url |
https://bugzilla.redhat.com/show_bug.cgi?id=2191668 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@21.1.2 |
| purl |
pkg:maven/org.keycloak/keycloak-services@21.1.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-1u7p-4qg4-yqbv |
|
| 3 |
| vulnerability |
VCID-2kyy-pzzx-n7gr |
|
| 4 |
| vulnerability |
VCID-2xg4-ad4r-4kce |
|
| 5 |
| vulnerability |
VCID-2xvq-t8jp-zfbj |
|
| 6 |
| vulnerability |
VCID-36v6-qmgy-j3cv |
|
| 7 |
| vulnerability |
VCID-3adr-h63v-c3eg |
|
| 8 |
| vulnerability |
VCID-4hs9-48uu-8qbf |
|
| 9 |
| vulnerability |
VCID-66zv-ra8w-s3b4 |
|
| 10 |
| vulnerability |
VCID-6dya-2u73-vbee |
|
| 11 |
| vulnerability |
VCID-6kbf-zmzu-xbgt |
|
| 12 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 13 |
| vulnerability |
VCID-8ekh-fbbj-5yfb |
|
| 14 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 15 |
| vulnerability |
VCID-bub5-f9wf-57d4 |
|
| 16 |
| vulnerability |
VCID-cs4b-u9hn-9ugy |
|
| 17 |
| vulnerability |
VCID-dckx-y9zp-d7fy |
|
| 18 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 19 |
| vulnerability |
VCID-dt1x-6344-fkda |
|
| 20 |
| vulnerability |
VCID-dwgd-79t9-d7a1 |
|
| 21 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 22 |
| vulnerability |
VCID-fkdm-gq5h-rbg7 |
|
| 23 |
| vulnerability |
VCID-ghak-3963-juhk |
|
| 24 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 25 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 26 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 27 |
| vulnerability |
VCID-hzvd-ugxf-9fcd |
|
| 28 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 29 |
| vulnerability |
VCID-jhzk-d1en-gkhj |
|
| 30 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 31 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 32 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 33 |
| vulnerability |
VCID-kbc1-6psh-17d8 |
|
| 34 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 35 |
| vulnerability |
VCID-m24y-x4sk-2yd6 |
|
| 36 |
| vulnerability |
VCID-mt5g-24m9-tfbg |
|
| 37 |
| vulnerability |
VCID-nw1y-zwsy-auff |
|
| 38 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 39 |
| vulnerability |
VCID-pr4d-pmh8-yfeh |
|
| 40 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 41 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 42 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 43 |
| vulnerability |
VCID-tv3h-kxj7-u7ct |
|
| 44 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 45 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 46 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 47 |
| vulnerability |
VCID-uya7-2sk1-6uat |
|
| 48 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 49 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 50 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 51 |
| vulnerability |
VCID-w6nc-88yg-dkem |
|
| 52 |
| vulnerability |
VCID-wcb5-wnjf-5uhm |
|
| 53 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 54 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 55 |
| vulnerability |
VCID-xk8n-4az9-zfh3 |
|
| 56 |
| vulnerability |
VCID-xmxb-sg5r-ufbt |
|
| 57 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 58 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
| 59 |
| vulnerability |
VCID-y5qk-qy59-23hn |
|
| 60 |
| vulnerability |
VCID-zdyb-dh4t-5kam |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@21.1.2 |
|
|
| aliases |
CVE-2023-2422, GHSA-3qh5-qqj2-c78f
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wxaq-rrqq-pyah |
|
| 63 |
| url |
VCID-xbkp-kjgd-fqcx |
| vulnerability_id |
VCID-xbkp-kjgd-fqcx |
| summary |
URL Redirection to Untrusted Site ('Open Redirect')
A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@23.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-services@23.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-1u7p-4qg4-yqbv |
|
| 3 |
| vulnerability |
VCID-2kyy-pzzx-n7gr |
|
| 4 |
| vulnerability |
VCID-2xg4-ad4r-4kce |
|
| 5 |
| vulnerability |
VCID-2xvq-t8jp-zfbj |
|
| 6 |
| vulnerability |
VCID-36v6-qmgy-j3cv |
|
| 7 |
| vulnerability |
VCID-3adr-h63v-c3eg |
|
| 8 |
| vulnerability |
VCID-4hs9-48uu-8qbf |
|
| 9 |
| vulnerability |
VCID-66zv-ra8w-s3b4 |
|
| 10 |
| vulnerability |
VCID-6dya-2u73-vbee |
|
| 11 |
| vulnerability |
VCID-6kbf-zmzu-xbgt |
|
| 12 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 13 |
| vulnerability |
VCID-86yc-ds2u-jba3 |
|
| 14 |
| vulnerability |
VCID-8ekh-fbbj-5yfb |
|
| 15 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 16 |
| vulnerability |
VCID-bub5-f9wf-57d4 |
|
| 17 |
| vulnerability |
VCID-cs4b-u9hn-9ugy |
|
| 18 |
| vulnerability |
VCID-dckx-y9zp-d7fy |
|
| 19 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 20 |
| vulnerability |
VCID-dt1x-6344-fkda |
|
| 21 |
| vulnerability |
VCID-dwgd-79t9-d7a1 |
|
| 22 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 23 |
| vulnerability |
VCID-fkdm-gq5h-rbg7 |
|
| 24 |
| vulnerability |
VCID-ghak-3963-juhk |
|
| 25 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 26 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 27 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 28 |
| vulnerability |
VCID-hzvd-ugxf-9fcd |
|
| 29 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 30 |
| vulnerability |
VCID-jhzk-d1en-gkhj |
|
| 31 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 32 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 33 |
| vulnerability |
VCID-kbc1-6psh-17d8 |
|
| 34 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 35 |
| vulnerability |
VCID-m24y-x4sk-2yd6 |
|
| 36 |
| vulnerability |
VCID-mt5g-24m9-tfbg |
|
| 37 |
| vulnerability |
VCID-nw1y-zwsy-auff |
|
| 38 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 39 |
| vulnerability |
VCID-pr4d-pmh8-yfeh |
|
| 40 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 41 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 42 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 43 |
| vulnerability |
VCID-tv3h-kxj7-u7ct |
|
| 44 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 45 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 46 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 47 |
| vulnerability |
VCID-uya7-2sk1-6uat |
|
| 48 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 49 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 50 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 51 |
| vulnerability |
VCID-w6nc-88yg-dkem |
|
| 52 |
| vulnerability |
VCID-wcb5-wnjf-5uhm |
|
| 53 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 54 |
| vulnerability |
VCID-xk8n-4az9-zfh3 |
|
| 55 |
| vulnerability |
VCID-xmxb-sg5r-ufbt |
|
| 56 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 57 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
| 58 |
| vulnerability |
VCID-y5qk-qy59-23hn |
|
| 59 |
| vulnerability |
VCID-zdyb-dh4t-5kam |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@23.0.0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-services@23.0.3 |
| purl |
pkg:maven/org.keycloak/keycloak-services@23.0.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-1u7p-4qg4-yqbv |
|
| 3 |
| vulnerability |
VCID-2kyy-pzzx-n7gr |
|
| 4 |
| vulnerability |
VCID-2xg4-ad4r-4kce |
|
| 5 |
| vulnerability |
VCID-2xvq-t8jp-zfbj |
|
| 6 |
| vulnerability |
VCID-36v6-qmgy-j3cv |
|
| 7 |
| vulnerability |
VCID-3adr-h63v-c3eg |
|
| 8 |
| vulnerability |
VCID-4hs9-48uu-8qbf |
|
| 9 |
| vulnerability |
VCID-66zv-ra8w-s3b4 |
|
| 10 |
| vulnerability |
VCID-6dya-2u73-vbee |
|
| 11 |
| vulnerability |
VCID-6kbf-zmzu-xbgt |
|
| 12 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 13 |
| vulnerability |
VCID-8ekh-fbbj-5yfb |
|
| 14 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 15 |
| vulnerability |
VCID-bub5-f9wf-57d4 |
|
| 16 |
| vulnerability |
VCID-cs4b-u9hn-9ugy |
|
| 17 |
| vulnerability |
VCID-dckx-y9zp-d7fy |
|
| 18 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 19 |
| vulnerability |
VCID-dt1x-6344-fkda |
|
| 20 |
| vulnerability |
VCID-dwgd-79t9-d7a1 |
|
| 21 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 22 |
| vulnerability |
VCID-fkdm-gq5h-rbg7 |
|
| 23 |
| vulnerability |
VCID-ghak-3963-juhk |
|
| 24 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 25 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 26 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 27 |
| vulnerability |
VCID-hzvd-ugxf-9fcd |
|
| 28 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 29 |
| vulnerability |
VCID-jhzk-d1en-gkhj |
|
| 30 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 31 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 32 |
| vulnerability |
VCID-kbc1-6psh-17d8 |
|
| 33 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 34 |
| vulnerability |
VCID-mt5g-24m9-tfbg |
|
| 35 |
| vulnerability |
VCID-nw1y-zwsy-auff |
|
| 36 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 37 |
| vulnerability |
VCID-pr4d-pmh8-yfeh |
|
| 38 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 39 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 40 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 41 |
| vulnerability |
VCID-tv3h-kxj7-u7ct |
|
| 42 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 43 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 44 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 45 |
| vulnerability |
VCID-uya7-2sk1-6uat |
|
| 46 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 47 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 48 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 49 |
| vulnerability |
VCID-w6nc-88yg-dkem |
|
| 50 |
| vulnerability |
VCID-wcb5-wnjf-5uhm |
|
| 51 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 52 |
| vulnerability |
VCID-xk8n-4az9-zfh3 |
|
| 53 |
| vulnerability |
VCID-xmxb-sg5r-ufbt |
|
| 54 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 55 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
| 56 |
| vulnerability |
VCID-y5qk-qy59-23hn |
|
| 57 |
| vulnerability |
VCID-zdyb-dh4t-5kam |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@23.0.3 |
|
|
| aliases |
CVE-2023-6291, GHSA-mpwq-j3xf-7m5w
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xbkp-kjgd-fqcx |
|
| 64 |
| url |
VCID-xbmd-afn2-kfem |
| vulnerability_id |
VCID-xbmd-afn2-kfem |
| summary |
Duplicate Advisory: Keycloak-services SMTP Inject Vulnerability
### Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-m4j5-5x4r-2xp9. This link is maintained to preserve external references.
### Original Description
A vulnerability was found in Keycloak-services. Special characters used during e-mail registration may perform SMTP Injection and unexpectedly send short unwanted e-mails. The email is limited to 64 characters (limited local part of the email), so the attack is limited to very shorts emails (subject and little data, the example is 60 chars). This flaw's only direct consequence is an unsolicited email being sent from the Keycloak server. However, this action could be a precursor for more sophisticated attacks. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@26.3.3 |
| purl |
pkg:maven/org.keycloak/keycloak-services@26.3.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 3 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 4 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 5 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 6 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 7 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 8 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 9 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 10 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 11 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 12 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 13 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 14 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 15 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 16 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 17 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 18 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 19 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 20 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 21 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@26.3.3 |
|
|
| aliases |
GHSA-qj5r-2r5p-phc7
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xbmd-afn2-kfem |
|
| 65 |
| url |
VCID-xk8n-4az9-zfh3 |
| vulnerability_id |
VCID-xk8n-4az9-zfh3 |
| summary |
Duplicate Advisory: Keycloak vulnerable to two factor authentication bypass
# Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-5jfq-x6xp-7rw2. This link is maintained to preserve external references.
# Original Description
A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumventing required actions, allowing users to circumvent requirements such as setting up two-factor authentication. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@26.2.2 |
| purl |
pkg:maven/org.keycloak/keycloak-services@26.2.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-1u7p-4qg4-yqbv |
|
| 3 |
| vulnerability |
VCID-3adr-h63v-c3eg |
|
| 4 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 5 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 6 |
| vulnerability |
VCID-dckx-y9zp-d7fy |
|
| 7 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 8 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 9 |
| vulnerability |
VCID-fkdm-gq5h-rbg7 |
|
| 10 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 11 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 12 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 13 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 14 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 15 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 16 |
| vulnerability |
VCID-mzdb-4zsz-qqhn |
|
| 17 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 18 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 19 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 20 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 21 |
| vulnerability |
VCID-tv3h-kxj7-u7ct |
|
| 22 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 23 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 24 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 25 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 26 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 27 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 28 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 29 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 30 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@26.2.2 |
|
|
| aliases |
GHSA-fx44-2wx5-5fvp
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xk8n-4az9-zfh3 |
|
| 66 |
| url |
VCID-xmxb-sg5r-ufbt |
| vulnerability_id |
VCID-xmxb-sg5r-ufbt |
| summary |
Keycloak hostname verification
A flaw was found in Keycloak. By setting a verification policy to 'ANY', the trust store certificate verification is skipped, which is unintended. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@26.2.2 |
| purl |
pkg:maven/org.keycloak/keycloak-services@26.2.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-1u7p-4qg4-yqbv |
|
| 3 |
| vulnerability |
VCID-3adr-h63v-c3eg |
|
| 4 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 5 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 6 |
| vulnerability |
VCID-dckx-y9zp-d7fy |
|
| 7 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 8 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 9 |
| vulnerability |
VCID-fkdm-gq5h-rbg7 |
|
| 10 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 11 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 12 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 13 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 14 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 15 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 16 |
| vulnerability |
VCID-mzdb-4zsz-qqhn |
|
| 17 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 18 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 19 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 20 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 21 |
| vulnerability |
VCID-tv3h-kxj7-u7ct |
|
| 22 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 23 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 24 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 25 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 26 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 27 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 28 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 29 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 30 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@26.2.2 |
|
|
| aliases |
CVE-2025-3501, GHSA-hw58-3793-42gg
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xmxb-sg5r-ufbt |
|
| 67 |
|
| 68 |
|
| 69 |
| url |
VCID-y5qk-qy59-23hn |
| vulnerability_id |
VCID-y5qk-qy59-23hn |
| summary |
Keycloak's unvalidated cross-origin messages in checkLoginIframe leads to DDoS
A potential security flaw in the "checkLoginIframe" which allows unvalidated cross-origin messages, enabling potential DDoS attacks. By exploiting this vulnerability, attackers could coordinate to send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin validation for incoming messages. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
|
| 40 |
|
| 41 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-services@24.0.3 |
| purl |
pkg:maven/org.keycloak/keycloak-services@24.0.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-1u7p-4qg4-yqbv |
|
| 3 |
| vulnerability |
VCID-2xg4-ad4r-4kce |
|
| 4 |
| vulnerability |
VCID-36v6-qmgy-j3cv |
|
| 5 |
| vulnerability |
VCID-3adr-h63v-c3eg |
|
| 6 |
| vulnerability |
VCID-4hs9-48uu-8qbf |
|
| 7 |
| vulnerability |
VCID-66zv-ra8w-s3b4 |
|
| 8 |
| vulnerability |
VCID-6dya-2u73-vbee |
|
| 9 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 10 |
| vulnerability |
VCID-8ekh-fbbj-5yfb |
|
| 11 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 12 |
| vulnerability |
VCID-bub5-f9wf-57d4 |
|
| 13 |
| vulnerability |
VCID-cs4b-u9hn-9ugy |
|
| 14 |
| vulnerability |
VCID-dckx-y9zp-d7fy |
|
| 15 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 16 |
| vulnerability |
VCID-dwgd-79t9-d7a1 |
|
| 17 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 18 |
| vulnerability |
VCID-fkdm-gq5h-rbg7 |
|
| 19 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 20 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 21 |
| vulnerability |
VCID-hzvd-ugxf-9fcd |
|
| 22 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 23 |
| vulnerability |
VCID-jhzk-d1en-gkhj |
|
| 24 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 25 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 26 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 27 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 28 |
| vulnerability |
VCID-pr4d-pmh8-yfeh |
|
| 29 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 30 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 31 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 32 |
| vulnerability |
VCID-tv3h-kxj7-u7ct |
|
| 33 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 34 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 35 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 36 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 37 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 38 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 39 |
| vulnerability |
VCID-w6nc-88yg-dkem |
|
| 40 |
| vulnerability |
VCID-wcb5-wnjf-5uhm |
|
| 41 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 42 |
| vulnerability |
VCID-xk8n-4az9-zfh3 |
|
| 43 |
| vulnerability |
VCID-xmxb-sg5r-ufbt |
|
| 44 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 45 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
| 46 |
| vulnerability |
VCID-zdyb-dh4t-5kam |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@24.0.3 |
|
|
| aliases |
CVE-2024-1249, GHSA-m6q9-p373-g5q8
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-y5qk-qy59-23hn |
|
| 70 |
| url |
VCID-zdyb-dh4t-5kam |
| vulnerability_id |
VCID-zdyb-dh4t-5kam |
| summary |
org.keycloak:keycloak-services has Inefficient Regular Expression Complexity
A vulnerability was found in the Keycloak-services package. If untrusted data is passed to the SearchQueryUtils method, it could lead to a denial of service (DoS) scenario by exhausting system resources due to a Regex complexity. |
| references |
| 0 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:10175 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-25T17:15:02Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:10175 |
|
| 1 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:10176 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-25T17:15:02Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:10176 |
|
| 2 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:10177 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-25T17:15:02Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:10177 |
|
| 3 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:10178 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-25T17:15:02Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:10178 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://bugzilla.redhat.com/show_bug.cgi?id=2321214 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-25T17:15:02Z/ |
|
|
| url |
https://bugzilla.redhat.com/show_bug.cgi?id=2321214 |
|
| 7 |
| reference_url |
https://github.com/keycloak/keycloak |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/keycloak/keycloak |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
| reference_url |
https://access.redhat.com/security/cve/CVE-2024-10270 |
| reference_id |
CVE-2024-10270 |
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-25T17:15:02Z/ |
|
|
| url |
https://access.redhat.com/security/cve/CVE-2024-10270 |
|
| 17 |
|
| 18 |
|
| 19 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-services@26.0.6 |
| purl |
pkg:maven/org.keycloak/keycloak-services@26.0.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-12yb-w8kt-jyg3 |
|
| 1 |
| vulnerability |
VCID-1fwh-a287-5qgt |
|
| 2 |
| vulnerability |
VCID-1u7p-4qg4-yqbv |
|
| 3 |
| vulnerability |
VCID-3adr-h63v-c3eg |
|
| 4 |
| vulnerability |
VCID-6dya-2u73-vbee |
|
| 5 |
| vulnerability |
VCID-7uk5-w4qh-8uhq |
|
| 6 |
| vulnerability |
VCID-bebk-k27t-4qgf |
|
| 7 |
| vulnerability |
VCID-dckx-y9zp-d7fy |
|
| 8 |
| vulnerability |
VCID-dgdk-ahqm-9ken |
|
| 9 |
| vulnerability |
VCID-dwgd-79t9-d7a1 |
|
| 10 |
| vulnerability |
VCID-exeg-acrj-zkah |
|
| 11 |
| vulnerability |
VCID-fkdm-gq5h-rbg7 |
|
| 12 |
| vulnerability |
VCID-gv5e-6w51-uydc |
|
| 13 |
| vulnerability |
VCID-gyv4-k3na-eyhu |
|
| 14 |
| vulnerability |
VCID-j8hz-kys5-z3dr |
|
| 15 |
| vulnerability |
VCID-jhzk-d1en-gkhj |
|
| 16 |
| vulnerability |
VCID-jpky-uz5r-gbc8 |
|
| 17 |
| vulnerability |
VCID-jq8s-nkj4-j7h7 |
|
| 18 |
| vulnerability |
VCID-kmna-8rms-2bez |
|
| 19 |
| vulnerability |
VCID-pq67-ngsq-cbe4 |
|
| 20 |
| vulnerability |
VCID-pr4d-pmh8-yfeh |
|
| 21 |
| vulnerability |
VCID-s9bw-xmnt-xqbp |
|
| 22 |
| vulnerability |
VCID-shsh-c1xa-xbes |
|
| 23 |
| vulnerability |
VCID-sxtm-krnm-kff7 |
|
| 24 |
| vulnerability |
VCID-tv3h-kxj7-u7ct |
|
| 25 |
| vulnerability |
VCID-tvba-94zp-t3hc |
|
| 26 |
| vulnerability |
VCID-u2fq-9cjc-1kf6 |
|
| 27 |
| vulnerability |
VCID-uxs4-bydz-tbh4 |
|
| 28 |
| vulnerability |
VCID-v69z-xrfn-q3gu |
|
| 29 |
| vulnerability |
VCID-vdjk-2v9a-xfdk |
|
| 30 |
| vulnerability |
VCID-vums-fzus-q7dn |
|
| 31 |
| vulnerability |
VCID-xbmd-afn2-kfem |
|
| 32 |
| vulnerability |
VCID-xk8n-4az9-zfh3 |
|
| 33 |
| vulnerability |
VCID-xmxb-sg5r-ufbt |
|
| 34 |
| vulnerability |
VCID-xqks-vfap-aqb5 |
|
| 35 |
| vulnerability |
VCID-xymt-c6mk-73ff |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@26.0.6 |
|
|
| aliases |
CVE-2024-10270, GHSA-wq8x-cg39-8mrr
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-zdyb-dh4t-5kam |
|