Search for packages
| purl | pkg:maven/org.keycloak/keycloak-parent@2.2.0.Final |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-14c3-xa9j-mbab
Aliases: CVE-2021-3513 GHSA-xv7h-95r7-595j |
Incorrect implementation of lockout feature in Keycloak A flaw was found in keycloak where a brute force attack is possible even when the permanent lockout feature is enabled. This is due to a wrong error message displayed when wrong credentials are entered. The highest threat from this vulnerability is to confidentiality. |
Affected by 13 other vulnerabilities. |
|
VCID-3248-31p8-tyd4
Aliases: CVE-2020-1725 GHSA-p225-pc2x-4jpm |
Incorrect Authorization A flaw was found in keycloak before version 13.0.0. In some scenarios a user still has access to a resource after changing the role mappings in Keycloak and after expiration of the previous access token. |
Affected by 13 other vulnerabilities. |
|
VCID-3jpe-awam-wqdz
Aliases: CVE-2026-0707 GHSA-gv94-wp4h-vv8p |
Keycloak has Incorrect Behavior Order: Authorization Before Parsing and Canonicalization A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer" authentication scheme. It accepts non-standard characters (such as tabs) as separators and tolerates case variations that deviate from RFC 6750 specifications. |
Affected by 2 other vulnerabilities. |
|
VCID-6ure-3hgz-xfgn
Aliases: CVE-2020-14359 GHSA-jh6m-3pqw-242h |
Authentication Bypass by Primary Weakness A vulnerability was found in all versions of keycloak, where on using lower case HTTP headers (via cURL) we can bypass our Gatekeeper. Lower case headers are also accepted by some webservers (e.g. Jetty). This means there is no protection when we put a Gatekeeper in front of a Jetty server and use lowercase headers. |
Affected by 13 other vulnerabilities. |
|
VCID-78nt-79j3-k3fh
Aliases: CVE-2018-14655 GHSA-458h-wv48-fq75 |
Cross-site Scripting When using `response_mode=form_post` it is possible to inject arbitrary Javascript-Code via the `state`-parameter in the authentication URL. This allows an XSS-Attack upon succesfully login. |
Affected by 22 other vulnerabilities. Affected by 21 other vulnerabilities. |
|
VCID-7z49-f322-n7g8
Aliases: CVE-2022-2668 GHSA-wf7g-7h6h-678v |
Keycloak SAML javascript protocol mapper: Uploading of scripts through admin console An issue was discovered in Keycloak allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the `UPLOAD_SCRIPTS` feature is disabled |
Affected by 6 other vulnerabilities. |
|
VCID-8zrg-f41g-pqfk
Aliases: CVE-2021-3827 GHSA-4pc7-vqv5-5r3v GMS-2022-1098 |
ECP SAML binding bypasses authentication flows ### Description A flaw was found in keycloak, where the default ECP binding flow allows other authentication flows to be bypassed. By exploiting this behavior, an attacker can bypass the MFA authentication by sending a SOAP request with an AuthnRequest and Authorization header with the user's credentials. The highest threat from this vulnerability is to confidentiality and integrity. |
Affected by 8 other vulnerabilities. |
|
VCID-9bn2-agpc-hfdz
Aliases: CVE-2017-12158 GHSA-v38p-mqq3-m6v5 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server. |
Affected by 0 other vulnerabilities. Affected by 23 other vulnerabilities. |
|
VCID-cabc-jrpz-vuad
Aliases: CVE-2022-2256 GHSA-w9mf-83w3-fv49 |
Keycloak vulnerable to Stored Cross site Scripting (XSS) when loading default roles A Stored XSS vulnerability was reported in the Keycloak Security mailing list, affecting all the versions of Keycloak, including the latest release (18.0.1). The vulnerability allows a privileged attacker to execute malicious scripts in the admin console, abusing of the default roles functionality. ### CVSS 3.1 - **3.8** **Vector String:** AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N **Vector Clarification:** * User interaction is not required as the admin console is regularly used during an administrator's work * The scope is unchanged since the admin console web application is both the vulnerable component and where the exploit executes ### Credits Aytaç Kalıncı, Ilker Bulgurcu, Yasin Yılmaz (@aytackalinci, @smileronin, @yasinyilmaz) - NETAŞ PENTEST TEAM |
Affected by 6 other vulnerabilities. |
|
VCID-dxj3-8sk5-mfdy
Aliases: CVE-2022-3916 GHSA-97g8-xfvw-q4hg GMS-2022-8406 |
Insufficient Session Expiration A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user. |
Affected by 4 other vulnerabilities. |
|
VCID-evqq-d8uz-9be1
Aliases: CVE-2018-14657 GHSA-85v8-vx4w-q684 |
Improper Authentication When TOPT enabled, an improper implementation of the Brute Force detection algorithm will not enforce its protection measures. |
Affected by 21 other vulnerabilities. Affected by 21 other vulnerabilities. |
|
VCID-f763-ps3s-b3ep
Aliases: CVE-2017-12159 GHSA-7fmw-85qm-h22p |
It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks. |
Affected by 0 other vulnerabilities. Affected by 23 other vulnerabilities. |
|
VCID-f8mj-85vd-2yh5
Aliases: CVE-2020-10758 GHSA-52rg-hpwq-qp56 |
Allocation of Resources Without Limits or Throttling A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the specified keycloak server, all with a Content-Length header value that exceeds the actual byte count of the request body. |
Affected by 18 other vulnerabilities. |
|
VCID-gjzp-cqhp-augx
Aliases: CVE-2020-10748 GHSA-hgpg-593r-hhvp |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') A flaw was found in Keycloak's data filter, in version 10.0.1, where it allowed the processing of data URLs in some circumstances. This flaw allows an attacker to conduct cross-site scripting or further attacks. |
Affected by 19 other vulnerabilities. |
|
VCID-gndk-728r-9yh7
Aliases: CVE-2021-3632 GHSA-qpq9-jpv4-6gwr |
Keycloak allows anyone to register new security device or key for any user by using WebAuthn password-less login flow A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow. |
Affected by 11 other vulnerabilities. |
|
VCID-jkh6-bvx2-dycm
Aliases: CVE-2026-1518 GHSA-fwhw-chw4-gh37 |
Keycloak Server-Side Request Forgery (SSRF) vulnerability A flaw was found in Keycloak’s CIBA feature where insufficient validation of client-configured backchannel notification endpoints could allow blind server-side requests to internal services. |
Affected by 1 other vulnerability. |
|
VCID-jprv-e2zb-v7bb
Aliases: CVE-2020-1717 GHSA-rvfc-g8j5-9ccf |
Generation of Error Message Containing Sensitive Information A flaw was found in Keycloak 7.0.1. A logged in user can do an account email enumeration attack. |
Affected by 20 other vulnerabilities. |
|
VCID-mumt-rvzk-w7d4
Aliases: CVE-2020-1718 GHSA-j229-2h63-rvh9 |
Improper Authentication A flaw was found in the reset credential flow in all Keycloak versions before 8.0.0. This flaw allows an attacker to gain unauthorized access to the application. |
Affected by 20 other vulnerabilities. |
|
VCID-nhe2-8dtq-gqbf
Aliases: CVE-2023-6291 GHSA-mpwq-j3xf-7m5w |
URL Redirection to Untrusted Site ('Open Redirect') A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users. |
Affected by 3 other vulnerabilities. |
|
VCID-rssz-yqj9-b7h8
Aliases: CVE-2020-14366 GHSA-cp67-8w3w-6h9c |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') A vulnerability was found in keycloak, where path traversal using URL-encoded path segments in the request is possible because the resources endpoint applies a transformation of the url path to the file path. Only few specific folder hierarchies can be exposed by this flaw |
Affected by 17 other vulnerabilities. |
|
VCID-sk6p-vfu6-7kem
Aliases: CVE-2020-10776 GHSA-484q-784p-8m5h |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack. |
Affected by 17 other vulnerabilities. |
|
VCID-w7ds-xt1u-9uf9
Aliases: CVE-2017-12160 GHSA-qc72-gfvw-76h7 |
Improper Authentication It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks. |
Affected by 26 other vulnerabilities. Affected by 25 other vulnerabilities. |
|
VCID-xauc-r9cm-sycu
Aliases: CVE-2022-3782 GHSA-g8q8-fggx-9r3q GMS-2022-8407 |
Keycloak vulnerable to path traversal via double URL encoding Keycloak does not properly validate URLs included in a redirect. An attacker could construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain, or possibly conduct further attacks. |
Affected by 5 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-xdfe-9zr4-47ax
Aliases: CVE-2021-3637 GHSA-2vp8-jv5v-6qh6 |
Allocation of Resources Without Limits or Throttling A flaw was found in keycloak-model-infinispan in keycloak where authenticationSessions map in RootAuthenticationSessionEntity grows boundlessly which could lead to a DoS attack. |
Affected by 12 other vulnerabilities. |
|
VCID-xdxx-tdkj-wbba
Aliases: CVE-2020-1758 GHSA-c597-f74m-jgc2 |
Improper Certificate Validation A flaw was found in Keycloak in versions before 10.0.0, where it does not perform the TLS hostname verification while sending emails using the SMTP server. This flaw allows an attacker to perform a man-in-the-middle (MITM) attack. |
Affected by 20 other vulnerabilities. |
|
VCID-yk5u-7cuz-7kdt
Aliases: CVE-2020-1694 GHSA-72j4-94rx-cr6w |
Incorrect Permission Assignment for Critical Resource A flaw was found in all versions of Keycloak before 10.0.0, where the NodeJS adapter did not support the verify-token-audience. This flaw results in some users having access to sensitive information outside of their permissions. |
Affected by 20 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||