Search for packages
| purl | pkg:maven/org.keycloak/keycloak-core@25.0.2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-eaaa-ejr9-6ygx
Aliases: CVE-2024-7318 GHSA-xmmm-jw76-q7vg |
Keycloaks's One Time Passcode (OTP) is valid longer than expiration timeSeverity A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute. A one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid. |
Affected by 2 other vulnerabilities. |
|
VCID-heqp-u355-wyaz
Aliases: CVE-2024-10039 GHSA-93ww-43rr-79v3 |
Keycloak mTLS Authentication Bypass via Reverse Proxy TLS Termination A vulnerability was found in Keycloak. Deployments of Keycloak with a reverse proxy not using pass-through termination of TLS, with mTLS enabled, are affected. This issue may allow an attacker on the local network to authenticate as any user or client that leverages mTLS as the authentication mechanism. |
Affected by 1 other vulnerability. |
|
VCID-kp25-fan9-jkd2
Aliases: CVE-2024-4028 GHSA-q4xq-445g-g6ch |
Keycloak allows cross-site scripting (XSS) A vulnerability was found in Keycloak. This issue may allow a privileged attacker to use a malicious payload as the permission while creating items (Resource and Permissions) from the admin console, leading to a stored cross-site scripting (XSS) attack. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||