VulnerableCode Package Details - pkg:alpm/archlinux/keycloak@15.0.2-1

Search for packages

Vulnerability	Summary	Fixed by
VCID-3248-31p8-tyd4 Aliases: CVE-2020-1725 GHSA-p225-pc2x-4jpm	Incorrect Authorization A flaw was found in keycloak before version 13.0.0. In some scenarios a user still has access to a resource after changing the role mappings in Keycloak and after expiration of the previous access token.	16.0.0-1 Affected by 0 other vulnerabilities.
VCID-6ure-3hgz-xfgn Aliases: CVE-2020-14359 GHSA-jh6m-3pqw-242h	Authentication Bypass by Primary Weakness A vulnerability was found in all versions of keycloak, where on using lower case HTTP headers (via cURL) we can bypass our Gatekeeper. Lower case headers are also accepted by some webservers (e.g. Jetty). This means there is no protection when we put a Gatekeeper in front of a Jetty server and use lowercase headers.	16.0.0-1 Affected by 0 other vulnerabilities.
VCID-7nv2-691y-13a1 Aliases: CVE-2020-1723	keycloak: logout endpoint /oauth/logout?redirect=url can be abused to redirect logged in users to arbitrary web pages	16.0.0-1 Affected by 0 other vulnerabilities.
VCID-8zrg-f41g-pqfk Aliases: CVE-2021-3827 GHSA-4pc7-vqv5-5r3v GMS-2022-1098	ECP SAML binding bypasses authentication flows ### Description A flaw was found in keycloak, where the default ECP binding flow allows other authentication flows to be bypassed. By exploiting this behavior, an attacker can bypass the MFA authentication by sending a SOAP request with an AuthnRequest and Authorization header with the user's credentials. The highest threat from this vulnerability is to confidentiality and integrity.	16.0.0-1 Affected by 0 other vulnerabilities.
VCID-98yf-g4d3-u3g8 Aliases: CVE-2021-3424 GHSA-pf38-cw3p-22q9	Keycloak is vulnerable to IDN homograph attack A flaw was found in keycloak as shipped in Red Hat Single Sign-On 7.4 where IDN homograph attacks are possible. A malicious user can register himself with a name already registered and trick admin to grant him extra privileges.	16.0.0-1 Affected by 0 other vulnerabilities.
VCID-d1ua-u2v7-jqf8 Aliases: CVE-2021-20262 GHSA-xf46-8vvp-4hxx	Keycloak Missing authentication for critical function A flaw was found in Keycloak 12.0.0 where re-authentication does not occur while updating the password. This flaw allows an attacker to take over an account if they can obtain temporary, physical access to a user’s browser. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.	16.0.0-1 Affected by 0 other vulnerabilities.
VCID-gndk-728r-9yh7 Aliases: CVE-2021-3632 GHSA-qpq9-jpv4-6gwr	Keycloak allows anyone to register new security device or key for any user by using WebAuthn password-less login flow A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow.	16.0.0-1 Affected by 0 other vulnerabilities.
VCID-hp5p-7wxk-v3eu Aliases: CVE-2020-10734 GHSA-rvjg-gxwx-j5gf	Cross-Site Request Forgery (CSRF) A vulnerability was found in keycloak in the way that the OIDC logout endpoint does not have CSRF protection. Versions shipped with Red Hat Fuse 7, Red Hat Single Sign-on 7, and Red Hat Openshift Application Runtimes are believed to be vulnerable.	16.0.0-1 Affected by 0 other vulnerabilities.
VCID-jprv-e2zb-v7bb Aliases: CVE-2020-1717 GHSA-rvfc-g8j5-9ccf	Generation of Error Message Containing Sensitive Information A flaw was found in Keycloak 7.0.1. A logged in user can do an account email enumeration attack.	16.0.0-1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-3248-31p8-tyd4
Aliases:
CVE-2020-1725
GHSA-p225-pc2x-4jpm

Incorrect Authorization A flaw was found in keycloak before version 13.0.0. In some scenarios a user still has access to a resource after changing the role mappings in Keycloak and after expiration of the previous access token.