VulnerableCode Package Details - pkg:alpm/archlinux/keycloak@13.0.0-1

Search for packages

Vulnerability	Summary	Fixed by
VCID-1jc1-3gjk-m3bz Aliases: CVE-2021-3461 GHSA-cm29-6wx7-p874	Insufficient Session Expiration A flaw was found in keycloak where keycloak may fail to logout user session if the logout request comes from external SAML identity provider and Principal Type is set to Attribute [Name].	13.0.1-1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-1jc1-3gjk-m3bz
Aliases:
CVE-2021-3461
GHSA-cm29-6wx7-p874

Insufficient Session Expiration A flaw was found in keycloak where keycloak may fail to logout user session if the logout request comes from external SAML identity provider and Principal Type is set to Attribute [Name].

13.0.1-1
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
VCID-14c3-xa9j-mbab	Incorrect implementation of lockout feature in Keycloak A flaw was found in keycloak where a brute force attack is possible even when the permanent lockout feature is enabled. This is due to a wrong error message displayed when wrong credentials are entered. The highest threat from this vulnerability is to confidentiality.	CVE-2021-3513 GHSA-xv7h-95r7-595j
VCID-546n-kc1p-cyhm	Code injection in keycloak A flaw was found in keycloak. The new account console in keycloak can allow malicious code to be executed using the referrer URL. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.	CVE-2021-20222 GHSA-2mq8-99q7-55wx
VCID-djwn-hkwg-g3gk	keycloak: reusable "state" parameter at redirect_uri endpoint enables possibility of replay attacks	CVE-2020-14302
VCID-e9qa-sy57-fqby	Temporary Directory Hijacking Vulnerability in Keycloak A flaw was found in keycloak. Directories can be created prior to the Java process creating them in the temporary directory, but with wider user permissions, allowing the attacker to have access to the contents that keycloak stores in this directory. The highest threat from this vulnerability is to data confidentiality and integrity.	CVE-2021-20202 GHSA-6xp6-fmc8-pmmr
VCID-u5ba-kpd5-67bm	Keycloak discloses information without authentication A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this vulnerability is to data confidentiality.	CVE-2020-27838 GHSA-pcv5-m2wh-66j3

Vulnerability

Summary

Aliases

VCID-14c3-xa9j-mbab

Incorrect implementation of lockout feature in Keycloak A flaw was found in keycloak where a brute force attack is possible even when the permanent lockout feature is enabled. This is due to a wrong error message displayed when wrong credentials are entered. The highest threat from this vulnerability is to confidentiality.

CVE-2021-3513
GHSA-xv7h-95r7-595j

VCID-546n-kc1p-cyhm

Code injection in keycloak A flaw was found in keycloak. The new account console in keycloak can allow malicious code to be executed using the referrer URL. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

CVE-2021-20222
GHSA-2mq8-99q7-55wx

VCID-djwn-hkwg-g3gk

keycloak: reusable "state" parameter at redirect_uri endpoint enables possibility of replay attacks

CVE-2020-14302

VCID-e9qa-sy57-fqby

Temporary Directory Hijacking Vulnerability in Keycloak A flaw was found in keycloak. Directories can be created prior to the Java process creating them in the temporary directory, but with wider user permissions, allowing the attacker to have access to the contents that keycloak stores in this directory. The highest threat from this vulnerability is to data confidentiality and integrity.

CVE-2021-20202
GHSA-6xp6-fmc8-pmmr

VCID-u5ba-kpd5-67bm

Keycloak discloses information without authentication A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this vulnerability is to data confidentiality.

CVE-2020-27838
GHSA-pcv5-m2wh-66j3

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T18:27:18.198801+00:00	Arch Linux Importer	Affected by	VCID-1jc1-3gjk-m3bz	https://security.archlinux.org/AVG-1994	38.0.0
2026-04-01T18:25:34.812339+00:00	Arch Linux Importer	Fixing	VCID-djwn-hkwg-g3gk	https://security.archlinux.org/AVG-1926	38.0.0
2026-04-01T18:25:34.787469+00:00	Arch Linux Importer	Fixing	VCID-u5ba-kpd5-67bm	https://security.archlinux.org/AVG-1926	38.0.0
2026-04-01T18:25:34.764960+00:00	Arch Linux Importer	Fixing	VCID-e9qa-sy57-fqby	https://security.archlinux.org/AVG-1926	38.0.0
2026-04-01T18:25:34.741242+00:00	Arch Linux Importer	Fixing	VCID-546n-kc1p-cyhm	https://security.archlinux.org/AVG-1926	38.0.0
2026-04-01T18:25:34.716266+00:00	Arch Linux Importer	Fixing	VCID-14c3-xa9j-mbab	https://security.archlinux.org/AVG-1926	38.0.0