| 0 |
| url |
VCID-14c3-xa9j-mbab |
| vulnerability_id |
VCID-14c3-xa9j-mbab |
| summary |
Incorrect implementation of lockout feature in Keycloak
A flaw was found in keycloak where a brute force attack is possible even when the permanent lockout feature is enabled. This is due to a wrong error message displayed when wrong credentials are entered. The highest threat from this vulnerability is to confidentiality. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2021-3513 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00201 |
| scoring_system |
epss |
| scoring_elements |
0.42201 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.00201 |
| scoring_system |
epss |
| scoring_elements |
0.42238 |
| published_at |
2026-04-11T12:55:00Z |
|
| 2 |
| value |
0.00201 |
| scoring_system |
epss |
| scoring_elements |
0.42214 |
| published_at |
2026-04-09T12:55:00Z |
|
| 3 |
| value |
0.00201 |
| scoring_system |
epss |
| scoring_elements |
0.42189 |
| published_at |
2026-04-02T12:55:00Z |
|
| 4 |
| value |
0.00201 |
| scoring_system |
epss |
| scoring_elements |
0.42225 |
| published_at |
2026-04-16T12:55:00Z |
|
| 5 |
| value |
0.00201 |
| scoring_system |
epss |
| scoring_elements |
0.42174 |
| published_at |
2026-04-13T12:55:00Z |
|
| 6 |
| value |
0.00201 |
| scoring_system |
epss |
| scoring_elements |
0.42156 |
| published_at |
2026-04-07T12:55:00Z |
|
| 7 |
| value |
0.00201 |
| scoring_system |
epss |
| scoring_elements |
0.42216 |
| published_at |
2026-04-04T12:55:00Z |
|
| 8 |
| value |
0.00201 |
| scoring_system |
epss |
| scoring_elements |
0.42207 |
| published_at |
2026-04-08T12:55:00Z |
|
| 9 |
| value |
0.00201 |
| scoring_system |
epss |
| scoring_elements |
0.4213 |
| published_at |
2026-04-01T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2021-3513 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 1 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 2 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 3 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 4 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 5 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 6 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 7 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 8 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 9 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 10 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 11 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 12 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 13 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 14 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 15 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 16 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 17 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 18 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@13.0.0 |
|
|
| aliases |
CVE-2021-3513, GHSA-xv7h-95r7-595j
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-14c3-xa9j-mbab |
|
| 1 |
| url |
VCID-2xyb-g3n4-n3ca |
| vulnerability_id |
VCID-2xyb-g3n4-n3ca |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-1274 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00842 |
| scoring_system |
epss |
| scoring_elements |
0.74741 |
| published_at |
2026-04-13T12:55:00Z |
|
| 1 |
| value |
0.00842 |
| scoring_system |
epss |
| scoring_elements |
0.7475 |
| published_at |
2026-04-12T12:55:00Z |
|
| 2 |
| value |
0.00842 |
| scoring_system |
epss |
| scoring_elements |
0.74771 |
| published_at |
2026-04-11T12:55:00Z |
|
| 3 |
| value |
0.00861 |
| scoring_system |
epss |
| scoring_elements |
0.75057 |
| published_at |
2026-04-09T12:55:00Z |
|
| 4 |
| value |
0.00861 |
| scoring_system |
epss |
| scoring_elements |
0.75046 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00861 |
| scoring_system |
epss |
| scoring_elements |
0.75012 |
| published_at |
2026-04-07T12:55:00Z |
|
| 6 |
| value |
0.00861 |
| scoring_system |
epss |
| scoring_elements |
0.75036 |
| published_at |
2026-04-04T12:55:00Z |
|
| 7 |
| value |
0.00861 |
| scoring_system |
epss |
| scoring_elements |
0.75007 |
| published_at |
2026-04-02T12:55:00Z |
|
| 8 |
| value |
0.00861 |
| scoring_system |
epss |
| scoring_elements |
0.75004 |
| published_at |
2026-04-01T12:55:00Z |
|
| 9 |
| value |
0.00978 |
| scoring_system |
epss |
| scoring_elements |
0.76771 |
| published_at |
2026-04-18T12:55:00Z |
|
| 10 |
| value |
0.00978 |
| scoring_system |
epss |
| scoring_elements |
0.76766 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-1274 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
|
| fixed_packages |
|
| aliases |
CVE-2022-1274, GHSA-m4fv-gm5m-4725, GMS-2023-528
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2xyb-g3n4-n3ca |
|
| 2 |
| url |
VCID-3248-31p8-tyd4 |
| vulnerability_id |
VCID-3248-31p8-tyd4 |
| summary |
Incorrect Authorization
A flaw was found in keycloak before version 13.0.0. In some scenarios a user still has access to a resource after changing the role mappings in Keycloak and after expiration of the previous access token. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1725 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00115 |
| scoring_system |
epss |
| scoring_elements |
0.3011 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00115 |
| scoring_system |
epss |
| scoring_elements |
0.30188 |
| published_at |
2026-04-11T12:55:00Z |
|
| 2 |
| value |
0.00115 |
| scoring_system |
epss |
| scoring_elements |
0.30272 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00115 |
| scoring_system |
epss |
| scoring_elements |
0.3009 |
| published_at |
2026-04-18T12:55:00Z |
|
| 4 |
| value |
0.00115 |
| scoring_system |
epss |
| scoring_elements |
0.3015 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00115 |
| scoring_system |
epss |
| scoring_elements |
0.30186 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00115 |
| scoring_system |
epss |
| scoring_elements |
0.30145 |
| published_at |
2026-04-12T12:55:00Z |
|
| 7 |
| value |
0.00115 |
| scoring_system |
epss |
| scoring_elements |
0.30193 |
| published_at |
2026-04-01T12:55:00Z |
|
| 8 |
| value |
0.00115 |
| scoring_system |
epss |
| scoring_elements |
0.30095 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00115 |
| scoring_system |
epss |
| scoring_elements |
0.30223 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1725 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 1 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 2 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 3 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 4 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 5 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 6 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 7 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 8 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 9 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 10 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 11 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 12 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 13 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 14 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 15 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 16 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 17 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 18 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@13.0.0 |
|
|
| aliases |
CVE-2020-1725, GHSA-p225-pc2x-4jpm
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3248-31p8-tyd4 |
|
| 3 |
| url |
VCID-49qw-j7rn-qfdf |
| vulnerability_id |
VCID-49qw-j7rn-qfdf |
| summary |
Duplicate Advisory: Keycloak Uses a Key Past its Expiration Date
# Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-xmmm-jw76-q7vg. This link is maintained to preserve external references.
# Original Description
A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute.
A one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://github.com/keycloak/keycloak |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/keycloak/keycloak |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
|
| aliases |
GHSA-57rh-gr4v-j5f6
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-49qw-j7rn-qfdf |
|
| 4 |
| url |
VCID-546n-kc1p-cyhm |
| vulnerability_id |
VCID-546n-kc1p-cyhm |
| summary |
Code injection in keycloak
A flaw was found in keycloak. The new account console in keycloak can allow malicious code to be executed using the referrer URL. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2021-20222 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.0044 |
| scoring_system |
epss |
| scoring_elements |
0.63236 |
| published_at |
2026-04-11T12:55:00Z |
|
| 1 |
| value |
0.0044 |
| scoring_system |
epss |
| scoring_elements |
0.63227 |
| published_at |
2026-04-18T12:55:00Z |
|
| 2 |
| value |
0.0044 |
| scoring_system |
epss |
| scoring_elements |
0.63185 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.0044 |
| scoring_system |
epss |
| scoring_elements |
0.6315 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.0044 |
| scoring_system |
epss |
| scoring_elements |
0.63202 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.0044 |
| scoring_system |
epss |
| scoring_elements |
0.63219 |
| published_at |
2026-04-16T12:55:00Z |
|
| 6 |
| value |
0.0044 |
| scoring_system |
epss |
| scoring_elements |
0.63221 |
| published_at |
2026-04-12T12:55:00Z |
|
| 7 |
| value |
0.0044 |
| scoring_system |
epss |
| scoring_elements |
0.63096 |
| published_at |
2026-04-01T12:55:00Z |
|
| 8 |
| value |
0.0044 |
| scoring_system |
epss |
| scoring_elements |
0.63184 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.0044 |
| scoring_system |
epss |
| scoring_elements |
0.63155 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2021-20222 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 1 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 2 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 3 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 4 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 5 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 6 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 7 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 8 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 9 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 10 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 11 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 12 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 13 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 14 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 15 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 16 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 17 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 18 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@13.0.0 |
|
|
| aliases |
CVE-2021-20222, GHSA-2mq8-99q7-55wx
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-546n-kc1p-cyhm |
|
| 5 |
| url |
VCID-5apu-r7pn-byet |
| vulnerability_id |
VCID-5apu-r7pn-byet |
| summary |
keycloak Self Stored Cross-site Scripting vulnerability
A flaw was found in keycloak in versions before 13.0.0. A Self Stored XSS attack vector escalating to a complete account takeover is possible due to user-supplied data fields not being properly encoded and Javascript code being used to process the data. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2021-20195 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00305 |
| scoring_system |
epss |
| scoring_elements |
0.53772 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.00305 |
| scoring_system |
epss |
| scoring_elements |
0.53696 |
| published_at |
2026-04-04T12:55:00Z |
|
| 2 |
| value |
0.00305 |
| scoring_system |
epss |
| scoring_elements |
0.53664 |
| published_at |
2026-04-07T12:55:00Z |
|
| 3 |
| value |
0.00305 |
| scoring_system |
epss |
| scoring_elements |
0.53717 |
| published_at |
2026-04-08T12:55:00Z |
|
| 4 |
| value |
0.00305 |
| scoring_system |
epss |
| scoring_elements |
0.53715 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.00305 |
| scoring_system |
epss |
| scoring_elements |
0.53763 |
| published_at |
2026-04-11T12:55:00Z |
|
| 6 |
| value |
0.00305 |
| scoring_system |
epss |
| scoring_elements |
0.53746 |
| published_at |
2026-04-12T12:55:00Z |
|
| 7 |
| value |
0.00305 |
| scoring_system |
epss |
| scoring_elements |
0.53729 |
| published_at |
2026-04-13T12:55:00Z |
|
| 8 |
| value |
0.00305 |
| scoring_system |
epss |
| scoring_elements |
0.53767 |
| published_at |
2026-04-16T12:55:00Z |
|
| 9 |
| value |
0.00305 |
| scoring_system |
epss |
| scoring_elements |
0.53648 |
| published_at |
2026-04-01T12:55:00Z |
|
| 10 |
| value |
0.00305 |
| scoring_system |
epss |
| scoring_elements |
0.53669 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2021-20195 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@12.0.3 |
| purl |
pkg:maven/org.keycloak/keycloak-core@12.0.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 2 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 3 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 4 |
| vulnerability |
VCID-546n-kc1p-cyhm |
|
| 5 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 6 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 7 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 8 |
| vulnerability |
VCID-djwn-hkwg-g3gk |
|
| 9 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 10 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 11 |
| vulnerability |
VCID-e9qa-sy57-fqby |
|
| 12 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 13 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 14 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 15 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 16 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 17 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 18 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 19 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 20 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 21 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 22 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 23 |
| vulnerability |
VCID-u5ba-kpd5-67bm |
|
| 24 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@12.0.3 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 1 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 2 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 3 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 4 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 5 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 6 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 7 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 8 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 9 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 10 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 11 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 12 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 13 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 14 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 15 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 16 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 17 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 18 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@13.0.0 |
|
|
| aliases |
CVE-2021-20195, GHSA-q6w2-89hq-hq27
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5apu-r7pn-byet |
|
| 6 |
| url |
VCID-6s4w-hv7a-ffaw |
| vulnerability_id |
VCID-6s4w-hv7a-ffaw |
| summary |
Keycloak vulnerable to Server-Side Request Forgery
A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter `request_uri`. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-10770 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.92282 |
| scoring_system |
epss |
| scoring_elements |
0.99719 |
| published_at |
2026-04-13T12:55:00Z |
|
| 1 |
| value |
0.92282 |
| scoring_system |
epss |
| scoring_elements |
0.99718 |
| published_at |
2026-04-04T12:55:00Z |
|
| 2 |
| value |
0.92282 |
| scoring_system |
epss |
| scoring_elements |
0.9972 |
| published_at |
2026-04-18T12:55:00Z |
|
| 3 |
| value |
0.92282 |
| scoring_system |
epss |
| scoring_elements |
0.99717 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-10770 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@12.0.2 |
| purl |
pkg:maven/org.keycloak/keycloak-core@12.0.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 2 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 3 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 4 |
| vulnerability |
VCID-546n-kc1p-cyhm |
|
| 5 |
| vulnerability |
VCID-5apu-r7pn-byet |
|
| 6 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 7 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 8 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 9 |
| vulnerability |
VCID-djwn-hkwg-g3gk |
|
| 10 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 11 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 12 |
| vulnerability |
VCID-e9qa-sy57-fqby |
|
| 13 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 14 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 15 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 16 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 17 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 18 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 19 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 20 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 21 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 22 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 23 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 24 |
| vulnerability |
VCID-u5ba-kpd5-67bm |
|
| 25 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@12.0.2 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 1 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 2 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 3 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 4 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 5 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 6 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 7 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 8 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 9 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 10 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 11 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 12 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 13 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 14 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 15 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 16 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 17 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 18 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@13.0.0 |
|
|
| aliases |
CVE-2020-10770, GHSA-jh7q-5mwf-qvhw
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6s4w-hv7a-ffaw |
|
| 7 |
| url |
VCID-7j7q-m1zp-zfac |
| vulnerability_id |
VCID-7j7q-m1zp-zfac |
| summary |
Keycloak has lack of validation of access token on client registrations endpoint
When a service account with the create-client or manage-clients role can use the client-registration endpoints to create/manage clients with an access token.
If the access token is leaked, there is an option to revoke the specific token. However, the check is not performed in client-registration endpoints. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://access.redhat.com/security/cve/CVE-2023-0091 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
3.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-09T14:08:50Z/ |
|
|
| url |
https://access.redhat.com/security/cve/CVE-2023-0091 |
|
| 2 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-0091 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00104 |
| scoring_system |
epss |
| scoring_elements |
0.28303 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.00104 |
| scoring_system |
epss |
| scoring_elements |
0.28511 |
| published_at |
2026-04-04T12:55:00Z |
|
| 2 |
| value |
0.00104 |
| scoring_system |
epss |
| scoring_elements |
0.28302 |
| published_at |
2026-04-07T12:55:00Z |
|
| 3 |
| value |
0.00104 |
| scoring_system |
epss |
| scoring_elements |
0.28367 |
| published_at |
2026-04-08T12:55:00Z |
|
| 4 |
| value |
0.00104 |
| scoring_system |
epss |
| scoring_elements |
0.28411 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.00104 |
| scoring_system |
epss |
| scoring_elements |
0.28414 |
| published_at |
2026-04-11T12:55:00Z |
|
| 6 |
| value |
0.00104 |
| scoring_system |
epss |
| scoring_elements |
0.28371 |
| published_at |
2026-04-12T12:55:00Z |
|
| 7 |
| value |
0.00104 |
| scoring_system |
epss |
| scoring_elements |
0.28313 |
| published_at |
2026-04-13T12:55:00Z |
|
| 8 |
| value |
0.00104 |
| scoring_system |
epss |
| scoring_elements |
0.28325 |
| published_at |
2026-04-16T12:55:00Z |
|
| 9 |
| value |
0.00104 |
| scoring_system |
epss |
| scoring_elements |
0.28469 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-0091 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
|
| aliases |
CVE-2023-0091, GHSA-v436-q368-hvgg, GMS-2023-37
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7j7q-m1zp-zfac |
|
| 8 |
| url |
VCID-7xuf-btg3-ckf6 |
| vulnerability_id |
VCID-7xuf-btg3-ckf6 |
| summary |
Keycloak Denial of Service vulnerability
A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited, an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values. The issue is fixed in Keycloak 24 with the introduction of the User Profile feature. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://access.redhat.com/security/cve/CVE-2023-6841 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 2 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
|
| 3 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-01T20:20:35Z/ |
|
|
| url |
https://access.redhat.com/security/cve/CVE-2023-6841 |
|
| 2 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-6841 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00613 |
| scoring_system |
epss |
| scoring_elements |
0.69851 |
| published_at |
2026-04-09T12:55:00Z |
|
| 1 |
| value |
0.00613 |
| scoring_system |
epss |
| scoring_elements |
0.69859 |
| published_at |
2026-04-12T12:55:00Z |
|
| 2 |
| value |
0.00613 |
| scoring_system |
epss |
| scoring_elements |
0.69845 |
| published_at |
2026-04-13T12:55:00Z |
|
| 3 |
| value |
0.00613 |
| scoring_system |
epss |
| scoring_elements |
0.69796 |
| published_at |
2026-04-02T12:55:00Z |
|
| 4 |
| value |
0.00613 |
| scoring_system |
epss |
| scoring_elements |
0.69874 |
| published_at |
2026-04-11T12:55:00Z |
|
| 5 |
| value |
0.00613 |
| scoring_system |
epss |
| scoring_elements |
0.69788 |
| published_at |
2026-04-07T12:55:00Z |
|
| 6 |
| value |
0.00613 |
| scoring_system |
epss |
| scoring_elements |
0.69811 |
| published_at |
2026-04-04T12:55:00Z |
|
| 7 |
| value |
0.00613 |
| scoring_system |
epss |
| scoring_elements |
0.69896 |
| published_at |
2026-04-18T12:55:00Z |
|
| 8 |
| value |
0.00613 |
| scoring_system |
epss |
| scoring_elements |
0.69887 |
| published_at |
2026-04-16T12:55:00Z |
|
| 9 |
| value |
0.00613 |
| scoring_system |
epss |
| scoring_elements |
0.69836 |
| published_at |
2026-04-08T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-6841 |
|
| 3 |
| reference_url |
https://bugzilla.redhat.com/show_bug.cgi?id=2254714 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 2 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
|
| 3 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-01T20:20:35Z/ |
|
|
| url |
https://bugzilla.redhat.com/show_bug.cgi?id=2254714 |
|
| 4 |
| reference_url |
https://github.com/keycloak/keycloak |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/keycloak/keycloak |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2023-6841, GHSA-w97f-w3hq-36g2
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7xuf-btg3-ckf6 |
|
| 9 |
| url |
VCID-c8ps-95au-zbg5 |
| vulnerability_id |
VCID-c8ps-95au-zbg5 |
| summary |
Stored Cross-Site Scripting (XSS) in Keycloak via groups dropdown
### Summary
A Stored XSS vulnerability was reported in the Keycloak Security mailing list, affecting all the versions of Keycloak, including the latest release (16.0.1). The vulnerability allows a privileged attacker to execute malicious scripts in the admin console, abusing of the groups' dropdown functionality.
### Impact
Successful attacks of this vulnerability can result a privileged attacker to load a XSS script, and steal data from other users. The impact can be considered moderate to low, considering privileged credentials are required.
### References
- Please refer to the Keycloak Security mailing list for more information. |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-755v-r4x4-qf7m, GMS-2022-7509
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-c8ps-95au-zbg5 |
|
| 10 |
| url |
VCID-djwn-hkwg-g3gk |
| vulnerability_id |
VCID-djwn-hkwg-g3gk |
| summary |
keycloak: reusable "state" parameter at redirect_uri endpoint enables possibility of replay attacks |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-14302 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00154 |
| scoring_system |
epss |
| scoring_elements |
0.36059 |
| published_at |
2026-04-01T12:55:00Z |
|
| 1 |
| value |
0.00154 |
| scoring_system |
epss |
| scoring_elements |
0.36254 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00154 |
| scoring_system |
epss |
| scoring_elements |
0.36287 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00154 |
| scoring_system |
epss |
| scoring_elements |
0.36123 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00154 |
| scoring_system |
epss |
| scoring_elements |
0.36172 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00154 |
| scoring_system |
epss |
| scoring_elements |
0.3619 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00154 |
| scoring_system |
epss |
| scoring_elements |
0.36196 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00154 |
| scoring_system |
epss |
| scoring_elements |
0.36159 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00154 |
| scoring_system |
epss |
| scoring_elements |
0.36133 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00154 |
| scoring_system |
epss |
| scoring_elements |
0.36175 |
| published_at |
2026-04-16T12:55:00Z |
|
| 10 |
| value |
0.00154 |
| scoring_system |
epss |
| scoring_elements |
0.3616 |
| published_at |
2026-04-18T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-14302 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 1 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 2 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 3 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 4 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 5 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 6 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 7 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 8 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 9 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 10 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 11 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 12 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 13 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 14 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 15 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 16 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 17 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 18 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@13.0.0 |
|
|
| aliases |
CVE-2020-14302
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-djwn-hkwg-g3gk |
|
| 11 |
| url |
VCID-dxj3-8sk5-mfdy |
| vulnerability_id |
VCID-dxj3-8sk5-mfdy |
| summary |
Insufficient Session Expiration
A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-3916 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00226 |
| scoring_system |
epss |
| scoring_elements |
0.45477 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.00226 |
| scoring_system |
epss |
| scoring_elements |
0.45418 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00226 |
| scoring_system |
epss |
| scoring_elements |
0.45438 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00226 |
| scoring_system |
epss |
| scoring_elements |
0.45382 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00226 |
| scoring_system |
epss |
| scoring_elements |
0.45437 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.00226 |
| scoring_system |
epss |
| scoring_elements |
0.45458 |
| published_at |
2026-04-11T12:55:00Z |
|
| 6 |
| value |
0.00226 |
| scoring_system |
epss |
| scoring_elements |
0.45428 |
| published_at |
2026-04-12T12:55:00Z |
|
| 7 |
| value |
0.00226 |
| scoring_system |
epss |
| scoring_elements |
0.4543 |
| published_at |
2026-04-13T12:55:00Z |
|
| 8 |
| value |
0.00226 |
| scoring_system |
epss |
| scoring_elements |
0.45481 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-3916 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
|
| fixed_packages |
|
| aliases |
CVE-2022-3916, GHSA-97g8-xfvw-q4hg, GMS-2022-8406
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dxj3-8sk5-mfdy |
|
| 12 |
| url |
VCID-e85z-cn66-fye8 |
| vulnerability_id |
VCID-e85z-cn66-fye8 |
| summary |
Keycloak Open Redirect vulnerability
An open redirect vulnerability was found in Keycloak. A specially crafted URL can be constructed where the `referrer` and `referrer_uri` parameters are made to trick a user to visit a malicious webpage. A trusted URL can trick users and automation into believing that the URL is safe, when, in fact, it redirects to a malicious server. This issue can result in a victim inadvertently trusting the destination of the redirect, potentially leading to a successful phishing attack or other types of attacks.
Once a crafted URL is made, it can be sent to a Keycloak admin via email for example. This will trigger this vulnerability when the user visits the page and clicks the link. A malicious actor can use this to target users they know are Keycloak admins for further attacks. It may also be possible to bypass other domain-related security checks, such as supplying this as a OAuth redirect uri. The malicious actor can further obfuscate the `redirect_uri` using URL encoding, to hide the text of the actual malicious website domain. |
| references |
| 0 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:6502 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
|
| 2 |
| value |
4.8 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-09T19:13:21Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:6502 |
|
| 1 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:6503 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
|
| 2 |
| value |
4.8 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-09T19:13:21Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:6503 |
|
| 2 |
|
| 3 |
| reference_url |
https://access.redhat.com/security/cve/CVE-2024-7260 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
|
| 2 |
| value |
4.8 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-09T19:13:21Z/ |
|
|
| url |
https://access.redhat.com/security/cve/CVE-2024-7260 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-7260 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00367 |
| scoring_system |
epss |
| scoring_elements |
0.58672 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.00367 |
| scoring_system |
epss |
| scoring_elements |
0.58607 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00367 |
| scoring_system |
epss |
| scoring_elements |
0.58628 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00367 |
| scoring_system |
epss |
| scoring_elements |
0.58598 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00367 |
| scoring_system |
epss |
| scoring_elements |
0.58649 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00367 |
| scoring_system |
epss |
| scoring_elements |
0.58656 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00367 |
| scoring_system |
epss |
| scoring_elements |
0.58673 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00367 |
| scoring_system |
epss |
| scoring_elements |
0.58654 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00367 |
| scoring_system |
epss |
| scoring_elements |
0.58634 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00367 |
| scoring_system |
epss |
| scoring_elements |
0.58667 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-7260 |
|
| 5 |
| reference_url |
https://bugzilla.redhat.com/show_bug.cgi?id=2301875 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
|
| 2 |
| value |
4.8 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-09T19:13:21Z/ |
|
|
| url |
https://bugzilla.redhat.com/show_bug.cgi?id=2301875 |
|
| 6 |
| reference_url |
https://github.com/keycloak/keycloak |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
4.8 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/keycloak/keycloak |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-7260, GHSA-g4gc-rh26-m3p5
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-e85z-cn66-fye8 |
|
| 13 |
| url |
VCID-e9qa-sy57-fqby |
| vulnerability_id |
VCID-e9qa-sy57-fqby |
| summary |
Temporary Directory Hijacking Vulnerability in Keycloak
A flaw was found in keycloak. Directories can be created prior to the Java process creating them in the temporary directory, but with wider user permissions, allowing the attacker to have access to the contents that keycloak stores in this directory. The highest threat from this vulnerability is to data confidentiality and integrity. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2021-20202 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00046 |
| scoring_system |
epss |
| scoring_elements |
0.13871 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.00046 |
| scoring_system |
epss |
| scoring_elements |
0.13879 |
| published_at |
2026-04-16T12:55:00Z |
|
| 2 |
| value |
0.00046 |
| scoring_system |
epss |
| scoring_elements |
0.13984 |
| published_at |
2026-04-13T12:55:00Z |
|
| 3 |
| value |
0.00046 |
| scoring_system |
epss |
| scoring_elements |
0.13999 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00046 |
| scoring_system |
epss |
| scoring_elements |
0.14128 |
| published_at |
2026-04-02T12:55:00Z |
|
| 5 |
| value |
0.00046 |
| scoring_system |
epss |
| scoring_elements |
0.14184 |
| published_at |
2026-04-04T12:55:00Z |
|
| 6 |
| value |
0.00046 |
| scoring_system |
epss |
| scoring_elements |
0.14081 |
| published_at |
2026-04-08T12:55:00Z |
|
| 7 |
| value |
0.00046 |
| scoring_system |
epss |
| scoring_elements |
0.14036 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00046 |
| scoring_system |
epss |
| scoring_elements |
0.14078 |
| published_at |
2026-04-11T12:55:00Z |
|
| 9 |
| value |
0.00046 |
| scoring_system |
epss |
| scoring_elements |
0.14047 |
| published_at |
2026-04-01T12:55:00Z |
|
| 10 |
| value |
0.00046 |
| scoring_system |
epss |
| scoring_elements |
0.14134 |
| published_at |
2026-04-09T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2021-20202 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 1 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 2 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 3 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 4 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 5 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 6 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 7 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 8 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 9 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 10 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 11 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 12 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 13 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 14 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 15 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 16 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 17 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 18 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@13.0.0 |
|
|
| aliases |
CVE-2021-20202, GHSA-6xp6-fmc8-pmmr
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-e9qa-sy57-fqby |
|
| 14 |
| url |
VCID-eaaa-ejr9-6ygx |
| vulnerability_id |
VCID-eaaa-ejr9-6ygx |
| summary |
Keycloaks's One Time Passcode (OTP) is valid longer than expiration timeSeverity
A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute. A one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid. |
| references |
| 0 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:6502 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-09T19:08:16Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:6502 |
|
| 1 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:6503 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-09T19:08:16Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:6503 |
|
| 2 |
|
| 3 |
| reference_url |
https://access.redhat.com/security/cve/CVE-2024-7318 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-09T19:08:16Z/ |
|
|
| url |
https://access.redhat.com/security/cve/CVE-2024-7318 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-7318 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.0139 |
| scoring_system |
epss |
| scoring_elements |
0.80304 |
| published_at |
2026-04-02T12:55:00Z |
|
| 1 |
| value |
0.0139 |
| scoring_system |
epss |
| scoring_elements |
0.8038 |
| published_at |
2026-04-18T12:55:00Z |
|
| 2 |
| value |
0.0139 |
| scoring_system |
epss |
| scoring_elements |
0.80378 |
| published_at |
2026-04-16T12:55:00Z |
|
| 3 |
| value |
0.0139 |
| scoring_system |
epss |
| scoring_elements |
0.80349 |
| published_at |
2026-04-13T12:55:00Z |
|
| 4 |
| value |
0.0139 |
| scoring_system |
epss |
| scoring_elements |
0.80355 |
| published_at |
2026-04-12T12:55:00Z |
|
| 5 |
| value |
0.0139 |
| scoring_system |
epss |
| scoring_elements |
0.8037 |
| published_at |
2026-04-11T12:55:00Z |
|
| 6 |
| value |
0.0139 |
| scoring_system |
epss |
| scoring_elements |
0.80351 |
| published_at |
2026-04-09T12:55:00Z |
|
| 7 |
| value |
0.0139 |
| scoring_system |
epss |
| scoring_elements |
0.8034 |
| published_at |
2026-04-08T12:55:00Z |
|
| 8 |
| value |
0.0139 |
| scoring_system |
epss |
| scoring_elements |
0.80312 |
| published_at |
2026-04-07T12:55:00Z |
|
| 9 |
| value |
0.0139 |
| scoring_system |
epss |
| scoring_elements |
0.80323 |
| published_at |
2026-04-04T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-7318 |
|
| 5 |
| reference_url |
https://bugzilla.redhat.com/show_bug.cgi?id=2301876 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-09T19:08:16Z/ |
|
|
| url |
https://bugzilla.redhat.com/show_bug.cgi?id=2301876 |
|
| 6 |
| reference_url |
https://github.com/keycloak/keycloak |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/keycloak/keycloak |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-7318, GHSA-xmmm-jw76-q7vg
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-eaaa-ejr9-6ygx |
|
| 15 |
| url |
VCID-em5z-nvqy-fucp |
| vulnerability_id |
VCID-em5z-nvqy-fucp |
| summary |
Keycloak has Files or Directories Accessible to External Parties
ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader. By sending requests for theme resources with a relative path from an external HTTP client, the client will receive the content of random files if available. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2021-3856 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00364 |
| scoring_system |
epss |
| scoring_elements |
0.58445 |
| published_at |
2026-04-13T12:55:00Z |
|
| 1 |
| value |
0.00364 |
| scoring_system |
epss |
| scoring_elements |
0.58464 |
| published_at |
2026-04-12T12:55:00Z |
|
| 2 |
| value |
0.00364 |
| scoring_system |
epss |
| scoring_elements |
0.58484 |
| published_at |
2026-04-11T12:55:00Z |
|
| 3 |
| value |
0.00364 |
| scoring_system |
epss |
| scoring_elements |
0.58466 |
| published_at |
2026-04-09T12:55:00Z |
|
| 4 |
| value |
0.00364 |
| scoring_system |
epss |
| scoring_elements |
0.58413 |
| published_at |
2026-04-02T12:55:00Z |
|
| 5 |
| value |
0.00364 |
| scoring_system |
epss |
| scoring_elements |
0.58481 |
| published_at |
2026-04-18T12:55:00Z |
|
| 6 |
| value |
0.00364 |
| scoring_system |
epss |
| scoring_elements |
0.58476 |
| published_at |
2026-04-16T12:55:00Z |
|
| 7 |
| value |
0.00364 |
| scoring_system |
epss |
| scoring_elements |
0.5846 |
| published_at |
2026-04-08T12:55:00Z |
|
| 8 |
| value |
0.00364 |
| scoring_system |
epss |
| scoring_elements |
0.58407 |
| published_at |
2026-04-07T12:55:00Z |
|
| 9 |
| value |
0.00364 |
| scoring_system |
epss |
| scoring_elements |
0.58329 |
| published_at |
2026-04-01T12:55:00Z |
|
| 10 |
| value |
0.00364 |
| scoring_system |
epss |
| scoring_elements |
0.58433 |
| published_at |
2026-04-04T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2021-3856 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@15.1.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@15.1.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 1 |
| vulnerability |
VCID-3bcu-tbpy-gfg6 |
|
| 2 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 3 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 4 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 5 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 6 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 7 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 8 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 9 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 10 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 11 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 12 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 13 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 14 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 15 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 16 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@15.1.0 |
|
|
| aliases |
CVE-2021-3856, GHSA-3w4v-rvc4-2xpw
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-em5z-nvqy-fucp |
|
| 16 |
| url |
VCID-engr-q4ge-53dc |
| vulnerability_id |
VCID-engr-q4ge-53dc |
| summary |
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the result of an incomplete fix for CVE-2020-10748. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-6134 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.02468 |
| scoring_system |
epss |
| scoring_elements |
0.85284 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.02468 |
| scoring_system |
epss |
| scoring_elements |
0.85203 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.02468 |
| scoring_system |
epss |
| scoring_elements |
0.85221 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.02468 |
| scoring_system |
epss |
| scoring_elements |
0.85224 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.02468 |
| scoring_system |
epss |
| scoring_elements |
0.85246 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.02468 |
| scoring_system |
epss |
| scoring_elements |
0.85254 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.02468 |
| scoring_system |
epss |
| scoring_elements |
0.85268 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.02468 |
| scoring_system |
epss |
| scoring_elements |
0.85266 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.02468 |
| scoring_system |
epss |
| scoring_elements |
0.85263 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.02468 |
| scoring_system |
epss |
| scoring_elements |
0.85283 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-6134 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
|
| aliases |
CVE-2023-6134, GHSA-cvg2-7c3j-g36j
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-engr-q4ge-53dc |
|
| 17 |
| url |
VCID-epys-8p8v-zugv |
| vulnerability_id |
VCID-epys-8p8v-zugv |
| summary |
keycloak-core: open redirect via "form_post.jwt" JARM response mode
An incomplete fix was found in Keycloak Core patch. An attacker can steal authorization codes or tokens from clients using a wildcard in the JARM response mode "form_post.jwt". It is observed that changing the response_mode parameter in the original proof of concept from "form_post" to "form_post.jwt" can bypass the security patch implemented to address CVE-2023-6134. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-6927 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00838 |
| scoring_system |
epss |
| scoring_elements |
0.74719 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.00838 |
| scoring_system |
epss |
| scoring_elements |
0.74632 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00838 |
| scoring_system |
epss |
| scoring_elements |
0.74658 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00838 |
| scoring_system |
epss |
| scoring_elements |
0.74633 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00838 |
| scoring_system |
epss |
| scoring_elements |
0.74665 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00838 |
| scoring_system |
epss |
| scoring_elements |
0.74679 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00838 |
| scoring_system |
epss |
| scoring_elements |
0.74703 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00838 |
| scoring_system |
epss |
| scoring_elements |
0.74682 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00838 |
| scoring_system |
epss |
| scoring_elements |
0.74674 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00838 |
| scoring_system |
epss |
| scoring_elements |
0.74711 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-6927 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
|
| aliases |
CVE-2023-6927, GHSA-3p75-q5cc-qmj7, GHSA-9vm7-v8wj-3fqw, GMS-2024-51
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-epys-8p8v-zugv |
|
| 18 |
| url |
VCID-fknh-1j7d-jyeq |
| vulnerability_id |
VCID-fknh-1j7d-jyeq |
| summary |
Improper authorization in Keycloak
Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-1466 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00158 |
| scoring_system |
epss |
| scoring_elements |
0.36609 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.00158 |
| scoring_system |
epss |
| scoring_elements |
0.36626 |
| published_at |
2026-04-16T12:55:00Z |
|
| 2 |
| value |
0.00158 |
| scoring_system |
epss |
| scoring_elements |
0.36692 |
| published_at |
2026-04-02T12:55:00Z |
|
| 3 |
| value |
0.00158 |
| scoring_system |
epss |
| scoring_elements |
0.3652 |
| published_at |
2026-04-01T12:55:00Z |
|
| 4 |
| value |
0.00158 |
| scoring_system |
epss |
| scoring_elements |
0.36723 |
| published_at |
2026-04-04T12:55:00Z |
|
| 5 |
| value |
0.00158 |
| scoring_system |
epss |
| scoring_elements |
0.3658 |
| published_at |
2026-04-13T12:55:00Z |
|
| 6 |
| value |
0.00158 |
| scoring_system |
epss |
| scoring_elements |
0.36604 |
| published_at |
2026-04-12T12:55:00Z |
|
| 7 |
| value |
0.00158 |
| scoring_system |
epss |
| scoring_elements |
0.36638 |
| published_at |
2026-04-11T12:55:00Z |
|
| 8 |
| value |
0.00158 |
| scoring_system |
epss |
| scoring_elements |
0.36632 |
| published_at |
2026-04-09T12:55:00Z |
|
| 9 |
| value |
0.00158 |
| scoring_system |
epss |
| scoring_elements |
0.36613 |
| published_at |
2026-04-08T12:55:00Z |
|
| 10 |
| value |
0.00158 |
| scoring_system |
epss |
| scoring_elements |
0.36561 |
| published_at |
2026-04-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-1466 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
|
| aliases |
CVE-2022-1466, GHSA-f32v-vf79-p29q
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-fknh-1j7d-jyeq |
|
| 19 |
| url |
VCID-gndk-728r-9yh7 |
| vulnerability_id |
VCID-gndk-728r-9yh7 |
| summary |
Keycloak allows anyone to register new security device or key for any user by using WebAuthn password-less login flow
A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2021-3632 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.66137 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.66012 |
| published_at |
2026-04-01T12:55:00Z |
|
| 2 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.66055 |
| published_at |
2026-04-02T12:55:00Z |
|
| 3 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.66083 |
| published_at |
2026-04-04T12:55:00Z |
|
| 4 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.66049 |
| published_at |
2026-04-07T12:55:00Z |
|
| 5 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.66098 |
| published_at |
2026-04-08T12:55:00Z |
|
| 6 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.6611 |
| published_at |
2026-04-09T12:55:00Z |
|
| 7 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.66129 |
| published_at |
2026-04-11T12:55:00Z |
|
| 8 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.66117 |
| published_at |
2026-04-12T12:55:00Z |
|
| 9 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.66087 |
| published_at |
2026-04-13T12:55:00Z |
|
| 10 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.66123 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2021-3632 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@15.1.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@15.1.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 1 |
| vulnerability |
VCID-3bcu-tbpy-gfg6 |
|
| 2 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 3 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 4 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 5 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 6 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 7 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 8 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 9 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 10 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 11 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 12 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 13 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 14 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 15 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 16 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@15.1.0 |
|
|
| aliases |
CVE-2021-3632, GHSA-qpq9-jpv4-6gwr
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gndk-728r-9yh7 |
|
| 20 |
| url |
VCID-heqp-u355-wyaz |
| vulnerability_id |
VCID-heqp-u355-wyaz |
| summary |
Keycloak mTLS Authentication Bypass via Reverse Proxy TLS Termination
A vulnerability was found in Keycloak. Deployments of Keycloak with a reverse proxy not using pass-through termination of TLS, with mTLS enabled, are affected. This issue may allow an attacker on the local network to authenticate as any user or client that leverages mTLS as the authentication mechanism. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2024-10039, GHSA-93ww-43rr-79v3
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-heqp-u355-wyaz |
|
| 21 |
| url |
VCID-j1rd-aem6-vfgj |
| vulnerability_id |
VCID-j1rd-aem6-vfgj |
| summary |
Keycloak vulnerable to Improper Certificate Validation
keycloak accepts an expired certificate by the direct-grant authenticator because of missing time stamp validations. The highest threat from this vulnerability is to data confidentiality and integrity.
This issue was partially fixed in version [13.0.1](https://github.com/keycloak/keycloak/pull/6330) and more completely fixed in version [14.0.0](https://github.com/keycloak/keycloak/pull/8067). |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-35509 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00087 |
| scoring_system |
epss |
| scoring_elements |
0.24999 |
| published_at |
2026-04-12T12:55:00Z |
|
| 1 |
| value |
0.00087 |
| scoring_system |
epss |
| scoring_elements |
0.25039 |
| published_at |
2026-04-11T12:55:00Z |
|
| 2 |
| value |
0.00087 |
| scoring_system |
epss |
| scoring_elements |
0.25025 |
| published_at |
2026-04-09T12:55:00Z |
|
| 3 |
| value |
0.00087 |
| scoring_system |
epss |
| scoring_elements |
0.2498 |
| published_at |
2026-04-08T12:55:00Z |
|
| 4 |
| value |
0.00087 |
| scoring_system |
epss |
| scoring_elements |
0.24911 |
| published_at |
2026-04-07T12:55:00Z |
|
| 5 |
| value |
0.00087 |
| scoring_system |
epss |
| scoring_elements |
0.25021 |
| published_at |
2026-04-01T12:55:00Z |
|
| 6 |
| value |
0.00087 |
| scoring_system |
epss |
| scoring_elements |
0.2495 |
| published_at |
2026-04-18T12:55:00Z |
|
| 7 |
| value |
0.00087 |
| scoring_system |
epss |
| scoring_elements |
0.24958 |
| published_at |
2026-04-16T12:55:00Z |
|
| 8 |
| value |
0.00087 |
| scoring_system |
epss |
| scoring_elements |
0.24945 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00087 |
| scoring_system |
epss |
| scoring_elements |
0.25137 |
| published_at |
2026-04-04T12:55:00Z |
|
| 10 |
| value |
0.00087 |
| scoring_system |
epss |
| scoring_elements |
0.25098 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-35509 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@14.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@14.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 1 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 2 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 3 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 4 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 5 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 6 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 7 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 8 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 9 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 10 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 11 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 12 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 13 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 14 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 15 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 16 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 17 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@14.0.0 |
|
|
| aliases |
CVE-2020-35509, GHSA-rpj2-w6fr-79hc
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-j1rd-aem6-vfgj |
|
| 22 |
| url |
VCID-kp25-fan9-jkd2 |
| vulnerability_id |
VCID-kp25-fan9-jkd2 |
| summary |
Keycloak allows cross-site scripting (XSS)
A vulnerability was found in Keycloak. This issue may allow a privileged attacker to use a malicious payload as the permission while creating items (Resource and Permissions) from the admin console, leading to a stored cross-site scripting (XSS) attack. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-4028 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00108 |
| scoring_system |
epss |
| scoring_elements |
0.29138 |
| published_at |
2026-04-12T12:55:00Z |
|
| 1 |
| value |
0.00108 |
| scoring_system |
epss |
| scoring_elements |
0.29184 |
| published_at |
2026-04-11T12:55:00Z |
|
| 2 |
| value |
0.00108 |
| scoring_system |
epss |
| scoring_elements |
0.29178 |
| published_at |
2026-04-09T12:55:00Z |
|
| 3 |
| value |
0.00108 |
| scoring_system |
epss |
| scoring_elements |
0.2909 |
| published_at |
2026-04-18T12:55:00Z |
|
| 4 |
| value |
0.00108 |
| scoring_system |
epss |
| scoring_elements |
0.29136 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00108 |
| scoring_system |
epss |
| scoring_elements |
0.29073 |
| published_at |
2026-04-07T12:55:00Z |
|
| 6 |
| value |
0.00108 |
| scoring_system |
epss |
| scoring_elements |
0.29113 |
| published_at |
2026-04-16T12:55:00Z |
|
| 7 |
| value |
0.00108 |
| scoring_system |
epss |
| scoring_elements |
0.29086 |
| published_at |
2026-04-13T12:55:00Z |
|
| 8 |
| value |
0.0015 |
| scoring_system |
epss |
| scoring_elements |
0.3563 |
| published_at |
2026-04-02T12:55:00Z |
|
| 9 |
| value |
0.0015 |
| scoring_system |
epss |
| scoring_elements |
0.35655 |
| published_at |
2026-04-04T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-4028 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-4028, GHSA-q4xq-445g-g6ch
|
| risk_score |
1.7 |
| exploitability |
0.5 |
| weighted_severity |
3.4 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-kp25-fan9-jkd2 |
|
| 23 |
| url |
VCID-n23y-qjaf-tfcm |
| vulnerability_id |
VCID-n23y-qjaf-tfcm |
| summary |
Keycloak XSS via use of malicious payload as group name when creating new group from admin console
A flaw was found in Keycloak. This flaw allows a privileged attacker to use the malicious payload as the group name while creating a new group from the admin console, leading to a stored Cross-site scripting (XSS) attack. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-0225 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00487 |
| scoring_system |
epss |
| scoring_elements |
0.6548 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.00487 |
| scoring_system |
epss |
| scoring_elements |
0.65401 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00487 |
| scoring_system |
epss |
| scoring_elements |
0.65428 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00487 |
| scoring_system |
epss |
| scoring_elements |
0.65391 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00487 |
| scoring_system |
epss |
| scoring_elements |
0.65444 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00487 |
| scoring_system |
epss |
| scoring_elements |
0.65455 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00487 |
| scoring_system |
epss |
| scoring_elements |
0.65474 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00487 |
| scoring_system |
epss |
| scoring_elements |
0.6546 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00487 |
| scoring_system |
epss |
| scoring_elements |
0.65432 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00487 |
| scoring_system |
epss |
| scoring_elements |
0.65469 |
| published_at |
2026-04-16T12:55:00Z |
|
| 10 |
| value |
0.00487 |
| scoring_system |
epss |
| scoring_elements |
0.65353 |
| published_at |
2026-04-01T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-0225 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2022-0225, GHSA-fqc7-5xxc-ph7r
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-n23y-qjaf-tfcm |
|
| 24 |
| url |
VCID-nhe2-8dtq-gqbf |
| vulnerability_id |
VCID-nhe2-8dtq-gqbf |
| summary |
URL Redirection to Untrusted Site ('Open Redirect')
A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-6291 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00181 |
| scoring_system |
epss |
| scoring_elements |
0.39708 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.00181 |
| scoring_system |
epss |
| scoring_elements |
0.39721 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00181 |
| scoring_system |
epss |
| scoring_elements |
0.39743 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00181 |
| scoring_system |
epss |
| scoring_elements |
0.39661 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00181 |
| scoring_system |
epss |
| scoring_elements |
0.39715 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00181 |
| scoring_system |
epss |
| scoring_elements |
0.3973 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00181 |
| scoring_system |
epss |
| scoring_elements |
0.39739 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00181 |
| scoring_system |
epss |
| scoring_elements |
0.39703 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00181 |
| scoring_system |
epss |
| scoring_elements |
0.39687 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00181 |
| scoring_system |
epss |
| scoring_elements |
0.39737 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-6291 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
|
| fixed_packages |
|
| aliases |
CVE-2023-6291, GHSA-mpwq-j3xf-7m5w
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-nhe2-8dtq-gqbf |
|
| 25 |
| url |
VCID-sk6p-vfu6-7kem |
| vulnerability_id |
VCID-sk6p-vfu6-7kem |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-10776 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50621 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50518 |
| published_at |
2026-04-07T12:55:00Z |
|
| 2 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50573 |
| published_at |
2026-04-08T12:55:00Z |
|
| 3 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.5057 |
| published_at |
2026-04-09T12:55:00Z |
|
| 4 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50612 |
| published_at |
2026-04-11T12:55:00Z |
|
| 5 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50589 |
| published_at |
2026-04-12T12:55:00Z |
|
| 6 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50574 |
| published_at |
2026-04-13T12:55:00Z |
|
| 7 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50616 |
| published_at |
2026-04-16T12:55:00Z |
|
| 8 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50481 |
| published_at |
2026-04-01T12:55:00Z |
|
| 9 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50537 |
| published_at |
2026-04-02T12:55:00Z |
|
| 10 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50565 |
| published_at |
2026-04-04T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-10776 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@12.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@12.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 2 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 3 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 4 |
| vulnerability |
VCID-546n-kc1p-cyhm |
|
| 5 |
| vulnerability |
VCID-5apu-r7pn-byet |
|
| 6 |
| vulnerability |
VCID-6s4w-hv7a-ffaw |
|
| 7 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 8 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 9 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 10 |
| vulnerability |
VCID-d1ua-u2v7-jqf8 |
|
| 11 |
| vulnerability |
VCID-djwn-hkwg-g3gk |
|
| 12 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 13 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 14 |
| vulnerability |
VCID-e9qa-sy57-fqby |
|
| 15 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 16 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 17 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 18 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 19 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 20 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 21 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 22 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 23 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 24 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 25 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 26 |
| vulnerability |
VCID-u5ba-kpd5-67bm |
|
| 27 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@12.0.0 |
|
|
| aliases |
CVE-2020-10776, GHSA-484q-784p-8m5h
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-sk6p-vfu6-7kem |
|
| 26 |
| url |
VCID-t22n-hvrb-67b5 |
| vulnerability_id |
VCID-t22n-hvrb-67b5 |
| summary |
Authentication Bypass in keycloak
A flaw was found in Keycloak before version 12.0.0 where it is possible to update the user's metadata attributes using Account REST API. This flaw allows an attacker to change its own NameID attribute to impersonate the admin user for any particular application. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-27826 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00166 |
| scoring_system |
epss |
| scoring_elements |
0.37638 |
| published_at |
2026-04-13T12:55:00Z |
|
| 1 |
| value |
0.00166 |
| scoring_system |
epss |
| scoring_elements |
0.37668 |
| published_at |
2026-04-18T12:55:00Z |
|
| 2 |
| value |
0.00166 |
| scoring_system |
epss |
| scoring_elements |
0.37622 |
| published_at |
2026-04-07T12:55:00Z |
|
| 3 |
| value |
0.00166 |
| scoring_system |
epss |
| scoring_elements |
0.37673 |
| published_at |
2026-04-08T12:55:00Z |
|
| 4 |
| value |
0.00166 |
| scoring_system |
epss |
| scoring_elements |
0.37687 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.00166 |
| scoring_system |
epss |
| scoring_elements |
0.377 |
| published_at |
2026-04-11T12:55:00Z |
|
| 6 |
| value |
0.00166 |
| scoring_system |
epss |
| scoring_elements |
0.37666 |
| published_at |
2026-04-12T12:55:00Z |
|
| 7 |
| value |
0.00166 |
| scoring_system |
epss |
| scoring_elements |
0.37538 |
| published_at |
2026-04-01T12:55:00Z |
|
| 8 |
| value |
0.00166 |
| scoring_system |
epss |
| scoring_elements |
0.37685 |
| published_at |
2026-04-16T12:55:00Z |
|
| 9 |
| value |
0.00166 |
| scoring_system |
epss |
| scoring_elements |
0.37719 |
| published_at |
2026-04-02T12:55:00Z |
|
| 10 |
| value |
0.00166 |
| scoring_system |
epss |
| scoring_elements |
0.37744 |
| published_at |
2026-04-04T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-27826 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@12.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@12.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 2 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 3 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 4 |
| vulnerability |
VCID-546n-kc1p-cyhm |
|
| 5 |
| vulnerability |
VCID-5apu-r7pn-byet |
|
| 6 |
| vulnerability |
VCID-6s4w-hv7a-ffaw |
|
| 7 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 8 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 9 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 10 |
| vulnerability |
VCID-d1ua-u2v7-jqf8 |
|
| 11 |
| vulnerability |
VCID-djwn-hkwg-g3gk |
|
| 12 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 13 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 14 |
| vulnerability |
VCID-e9qa-sy57-fqby |
|
| 15 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 16 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 17 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 18 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 19 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 20 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 21 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 22 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 23 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 24 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 25 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 26 |
| vulnerability |
VCID-u5ba-kpd5-67bm |
|
| 27 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@12.0.0 |
|
|
| aliases |
CVE-2020-27826, GHSA-m9cj-v55f-8x26
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-t22n-hvrb-67b5 |
|
| 27 |
| url |
VCID-th5p-51pd-3ffg |
| vulnerability_id |
VCID-th5p-51pd-3ffg |
| summary |
Improper privilege management in Keycloak
A flaw was found in Keycloak, where it would permit a user with a view-profile role to manage the resources in the new account console. This flaw allows a user with a view-profile role to access and modify data for which the user does not have adequate permission. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-14389 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00148 |
| scoring_system |
epss |
| scoring_elements |
0.35326 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.00148 |
| scoring_system |
epss |
| scoring_elements |
0.35321 |
| published_at |
2026-04-12T12:55:00Z |
|
| 2 |
| value |
0.00148 |
| scoring_system |
epss |
| scoring_elements |
0.35299 |
| published_at |
2026-04-13T12:55:00Z |
|
| 3 |
| value |
0.00148 |
| scoring_system |
epss |
| scoring_elements |
0.35337 |
| published_at |
2026-04-16T12:55:00Z |
|
| 4 |
| value |
0.00148 |
| scoring_system |
epss |
| scoring_elements |
0.35177 |
| published_at |
2026-04-01T12:55:00Z |
|
| 5 |
| value |
0.00148 |
| scoring_system |
epss |
| scoring_elements |
0.35378 |
| published_at |
2026-04-02T12:55:00Z |
|
| 6 |
| value |
0.00148 |
| scoring_system |
epss |
| scoring_elements |
0.35403 |
| published_at |
2026-04-04T12:55:00Z |
|
| 7 |
| value |
0.00148 |
| scoring_system |
epss |
| scoring_elements |
0.35285 |
| published_at |
2026-04-07T12:55:00Z |
|
| 8 |
| value |
0.00148 |
| scoring_system |
epss |
| scoring_elements |
0.35331 |
| published_at |
2026-04-08T12:55:00Z |
|
| 9 |
| value |
0.00148 |
| scoring_system |
epss |
| scoring_elements |
0.35356 |
| published_at |
2026-04-09T12:55:00Z |
|
| 10 |
| value |
0.00148 |
| scoring_system |
epss |
| scoring_elements |
0.35358 |
| published_at |
2026-04-11T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-14389 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@12.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@12.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 2 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 3 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 4 |
| vulnerability |
VCID-546n-kc1p-cyhm |
|
| 5 |
| vulnerability |
VCID-5apu-r7pn-byet |
|
| 6 |
| vulnerability |
VCID-6s4w-hv7a-ffaw |
|
| 7 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 8 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 9 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 10 |
| vulnerability |
VCID-d1ua-u2v7-jqf8 |
|
| 11 |
| vulnerability |
VCID-djwn-hkwg-g3gk |
|
| 12 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 13 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 14 |
| vulnerability |
VCID-e9qa-sy57-fqby |
|
| 15 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 16 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 17 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 18 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 19 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 20 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 21 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 22 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 23 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 24 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 25 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 26 |
| vulnerability |
VCID-u5ba-kpd5-67bm |
|
| 27 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@12.0.0 |
|
|
| aliases |
CVE-2020-14389, GHSA-c9x9-xv66-xp3v
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-th5p-51pd-3ffg |
|
| 28 |
| url |
VCID-u5ba-kpd5-67bm |
| vulnerability_id |
VCID-u5ba-kpd5-67bm |
| summary |
Keycloak discloses information without authentication
A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this vulnerability is to data confidentiality. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-27838 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.85144 |
| scoring_system |
epss |
| scoring_elements |
0.9936 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.85144 |
| scoring_system |
epss |
| scoring_elements |
0.99357 |
| published_at |
2026-04-13T12:55:00Z |
|
| 2 |
| value |
0.85144 |
| scoring_system |
epss |
| scoring_elements |
0.99356 |
| published_at |
2026-04-11T12:55:00Z |
|
| 3 |
| value |
0.85144 |
| scoring_system |
epss |
| scoring_elements |
0.99355 |
| published_at |
2026-04-09T12:55:00Z |
|
| 4 |
| value |
0.85144 |
| scoring_system |
epss |
| scoring_elements |
0.99354 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.85144 |
| scoring_system |
epss |
| scoring_elements |
0.99349 |
| published_at |
2026-04-02T12:55:00Z |
|
| 6 |
| value |
0.85144 |
| scoring_system |
epss |
| scoring_elements |
0.99353 |
| published_at |
2026-04-07T12:55:00Z |
|
| 7 |
| value |
0.85144 |
| scoring_system |
epss |
| scoring_elements |
0.99352 |
| published_at |
2026-04-04T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-27838 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 1 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 2 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 3 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 4 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 5 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 6 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 7 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 8 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 9 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 10 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 11 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 12 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 13 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 14 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 15 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 16 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 17 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 18 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@13.0.0 |
|
|
| aliases |
CVE-2020-27838, GHSA-pcv5-m2wh-66j3
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-u5ba-kpd5-67bm |
|
| 29 |
| url |
VCID-yaxc-7za7-zbbe |
| vulnerability_id |
VCID-yaxc-7za7-zbbe |
| summary |
Keycloak vulnerable to untrusted certificate validation
A flaw was found in Keycloak. This flaw depends on a non-default configuration "Revalidate Client Certificate" to be enabled and the reverse proxy is not validating the certificate before Keycloak. Using this method an attacker may choose the certificate which will be validated by the server. If this happens and the KC_SPI_TRUSTSTORE_FILE_FILE variable is missing/misconfigured, any trustfile may be accepted with the logging information of "Cannot validate client certificate trust: Truststore not available". This may not impact availability as the attacker would have no access to the server, but consumer applications Integrity or Confidentiality may be impacted considering a possible access to them. Considering the environment is correctly set to use "Revalidate Client Certificate" this flaw is avoidable. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-1664 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48738 |
| published_at |
2026-04-13T12:55:00Z |
|
| 1 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48731 |
| published_at |
2026-04-12T12:55:00Z |
|
| 2 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48739 |
| published_at |
2026-04-09T12:55:00Z |
|
| 3 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48783 |
| published_at |
2026-04-18T12:55:00Z |
|
| 4 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48787 |
| published_at |
2026-04-16T12:55:00Z |
|
| 5 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48756 |
| published_at |
2026-04-11T12:55:00Z |
|
| 6 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48709 |
| published_at |
2026-04-02T12:55:00Z |
|
| 7 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48734 |
| published_at |
2026-04-04T12:55:00Z |
|
| 8 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48688 |
| published_at |
2026-04-07T12:55:00Z |
|
| 9 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48742 |
| published_at |
2026-04-08T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-1664 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
|
| fixed_packages |
|
| aliases |
CVE-2023-1664, GHSA-5cc8-pgp5-7mpm, GHSA-c892-cwq6-qrqf
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-yaxc-7za7-zbbe |
|