VulnerableCode Package Details - pkg:alpm/archlinux/keycloak@16.0.0-1

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-3248-31p8-tyd4	Incorrect Authorization A flaw was found in keycloak before version 13.0.0. In some scenarios a user still has access to a resource after changing the role mappings in Keycloak and after expiration of the previous access token.	CVE-2020-1725 GHSA-p225-pc2x-4jpm
VCID-6ure-3hgz-xfgn	Authentication Bypass by Primary Weakness A vulnerability was found in all versions of keycloak, where on using lower case HTTP headers (via cURL) we can bypass our Gatekeeper. Lower case headers are also accepted by some webservers (e.g. Jetty). This means there is no protection when we put a Gatekeeper in front of a Jetty server and use lowercase headers.	CVE-2020-14359 GHSA-jh6m-3pqw-242h
VCID-7nv2-691y-13a1	keycloak: logout endpoint /oauth/logout?redirect=url can be abused to redirect logged in users to arbitrary web pages	CVE-2020-1723
VCID-8zrg-f41g-pqfk	ECP SAML binding bypasses authentication flows ### Description A flaw was found in keycloak, where the default ECP binding flow allows other authentication flows to be bypassed. By exploiting this behavior, an attacker can bypass the MFA authentication by sending a SOAP request with an AuthnRequest and Authorization header with the user's credentials. The highest threat from this vulnerability is to confidentiality and integrity.	CVE-2021-3827 GHSA-4pc7-vqv5-5r3v GMS-2022-1098
VCID-98yf-g4d3-u3g8	Keycloak is vulnerable to IDN homograph attack A flaw was found in keycloak as shipped in Red Hat Single Sign-On 7.4 where IDN homograph attacks are possible. A malicious user can register himself with a name already registered and trick admin to grant him extra privileges.	CVE-2021-3424 GHSA-pf38-cw3p-22q9
VCID-d1ua-u2v7-jqf8	Keycloak Missing authentication for critical function A flaw was found in Keycloak 12.0.0 where re-authentication does not occur while updating the password. This flaw allows an attacker to take over an account if they can obtain temporary, physical access to a user’s browser. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.	CVE-2021-20262 GHSA-xf46-8vvp-4hxx
VCID-gndk-728r-9yh7	Keycloak allows anyone to register new security device or key for any user by using WebAuthn password-less login flow A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow.	CVE-2021-3632 GHSA-qpq9-jpv4-6gwr
VCID-hp5p-7wxk-v3eu	Cross-Site Request Forgery (CSRF) A vulnerability was found in keycloak in the way that the OIDC logout endpoint does not have CSRF protection. Versions shipped with Red Hat Fuse 7, Red Hat Single Sign-on 7, and Red Hat Openshift Application Runtimes are believed to be vulnerable.	CVE-2020-10734 GHSA-rvjg-gxwx-j5gf
VCID-jprv-e2zb-v7bb	Generation of Error Message Containing Sensitive Information A flaw was found in Keycloak 7.0.1. A logged in user can do an account email enumeration attack.	CVE-2020-1717 GHSA-rvfc-g8j5-9ccf

Vulnerability

Summary

Aliases

VCID-3248-31p8-tyd4

Incorrect Authorization A flaw was found in keycloak before version 13.0.0. In some scenarios a user still has access to a resource after changing the role mappings in Keycloak and after expiration of the previous access token.

CVE-2020-1725
GHSA-p225-pc2x-4jpm

VCID-6ure-3hgz-xfgn

Authentication Bypass by Primary Weakness A vulnerability was found in all versions of keycloak, where on using lower case HTTP headers (via cURL) we can bypass our Gatekeeper. Lower case headers are also accepted by some webservers (e.g. Jetty). This means there is no protection when we put a Gatekeeper in front of a Jetty server and use lowercase headers.

CVE-2020-14359
GHSA-jh6m-3pqw-242h

VCID-7nv2-691y-13a1

keycloak: logout endpoint /oauth/logout?redirect=url can be abused to redirect logged in users to arbitrary web pages

CVE-2020-1723

VCID-8zrg-f41g-pqfk

ECP SAML binding bypasses authentication flows ### Description A flaw was found in keycloak, where the default ECP binding flow allows other authentication flows to be bypassed. By exploiting this behavior, an attacker can bypass the MFA authentication by sending a SOAP request with an AuthnRequest and Authorization header with the user's credentials. The highest threat from this vulnerability is to confidentiality and integrity.

CVE-2021-3827
GHSA-4pc7-vqv5-5r3v
GMS-2022-1098

VCID-98yf-g4d3-u3g8

Keycloak is vulnerable to IDN homograph attack A flaw was found in keycloak as shipped in Red Hat Single Sign-On 7.4 where IDN homograph attacks are possible. A malicious user can register himself with a name already registered and trick admin to grant him extra privileges.

CVE-2021-3424
GHSA-pf38-cw3p-22q9

VCID-d1ua-u2v7-jqf8

Keycloak Missing authentication for critical function A flaw was found in Keycloak 12.0.0 where re-authentication does not occur while updating the password. This flaw allows an attacker to take over an account if they can obtain temporary, physical access to a user’s browser. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

CVE-2021-20262
GHSA-xf46-8vvp-4hxx

VCID-gndk-728r-9yh7

Keycloak allows anyone to register new security device or key for any user by using WebAuthn password-less login flow A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow.

CVE-2021-3632
GHSA-qpq9-jpv4-6gwr

VCID-hp5p-7wxk-v3eu

Cross-Site Request Forgery (CSRF) A vulnerability was found in keycloak in the way that the OIDC logout endpoint does not have CSRF protection. Versions shipped with Red Hat Fuse 7, Red Hat Single Sign-on 7, and Red Hat Openshift Application Runtimes are believed to be vulnerable.

CVE-2020-10734
GHSA-rvjg-gxwx-j5gf

VCID-jprv-e2zb-v7bb

Generation of Error Message Containing Sensitive Information A flaw was found in Keycloak 7.0.1. A logged in user can do an account email enumeration attack.

CVE-2020-1717
GHSA-rvfc-g8j5-9ccf

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T18:25:10.863633+00:00	Arch Linux Importer	Fixing	VCID-hp5p-7wxk-v3eu	https://security.archlinux.org/AVG-1332	38.0.0
2026-04-01T18:25:10.843159+00:00	Arch Linux Importer	Fixing	VCID-6ure-3hgz-xfgn	https://security.archlinux.org/AVG-1332	38.0.0
2026-04-01T18:25:10.819821+00:00	Arch Linux Importer	Fixing	VCID-jprv-e2zb-v7bb	https://security.archlinux.org/AVG-1332	38.0.0
2026-04-01T18:25:10.797692+00:00	Arch Linux Importer	Fixing	VCID-7nv2-691y-13a1	https://security.archlinux.org/AVG-1332	38.0.0
2026-04-01T18:25:10.776381+00:00	Arch Linux Importer	Fixing	VCID-3248-31p8-tyd4	https://security.archlinux.org/AVG-1332	38.0.0
2026-04-01T18:25:10.753122+00:00	Arch Linux Importer	Fixing	VCID-d1ua-u2v7-jqf8	https://security.archlinux.org/AVG-1332	38.0.0
2026-04-01T18:25:10.731812+00:00	Arch Linux Importer	Fixing	VCID-98yf-g4d3-u3g8	https://security.archlinux.org/AVG-1332	38.0.0
2026-04-01T18:25:10.710716+00:00	Arch Linux Importer	Fixing	VCID-gndk-728r-9yh7	https://security.archlinux.org/AVG-1332	38.0.0
2026-04-01T18:25:10.688131+00:00	Arch Linux Importer	Fixing	VCID-8zrg-f41g-pqfk	https://security.archlinux.org/AVG-1332	38.0.0