Search for packages
| purl | pkg:maven/org.keycloak/keycloak-wildfly-server-subsystem@3.4.2.Final |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-3248-31p8-tyd4
Aliases: CVE-2020-1725 GHSA-p225-pc2x-4jpm |
Incorrect Authorization A flaw was found in keycloak before version 13.0.0. In some scenarios a user still has access to a resource after changing the role mappings in Keycloak and after expiration of the previous access token. |
Affected by 2 other vulnerabilities. |
|
VCID-6s4w-hv7a-ffaw
Aliases: CVE-2020-10770 GHSA-jh7q-5mwf-qvhw |
Keycloak vulnerable to Server-Side Request Forgery A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter `request_uri`. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack. |
Affected by 7 other vulnerabilities. |
|
VCID-djwn-hkwg-g3gk
Aliases: CVE-2020-14302 |
keycloak: reusable "state" parameter at redirect_uri endpoint enables possibility of replay attacks |
Affected by 2 other vulnerabilities. |
|
VCID-dxj3-8sk5-mfdy
Aliases: CVE-2022-3916 GHSA-97g8-xfvw-q4hg GMS-2022-8406 |
Insufficient Session Expiration A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user. | There are no reported fixed by versions. |
|
VCID-e9qa-sy57-fqby
Aliases: CVE-2021-20202 GHSA-6xp6-fmc8-pmmr |
Temporary Directory Hijacking Vulnerability in Keycloak A flaw was found in keycloak. Directories can be created prior to the Java process creating them in the temporary directory, but with wider user permissions, allowing the attacker to have access to the contents that keycloak stores in this directory. The highest threat from this vulnerability is to data confidentiality and integrity. |
Affected by 2 other vulnerabilities. |
|
VCID-f8mj-85vd-2yh5
Aliases: CVE-2020-10758 GHSA-52rg-hpwq-qp56 |
Allocation of Resources Without Limits or Throttling A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the specified keycloak server, all with a Content-Length header value that exceeds the actual byte count of the request body. |
Affected by 10 other vulnerabilities. |
|
VCID-nhe2-8dtq-gqbf
Aliases: CVE-2023-6291 GHSA-mpwq-j3xf-7m5w |
URL Redirection to Untrusted Site ('Open Redirect') A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users. | There are no reported fixed by versions. |
|
VCID-sk6p-vfu6-7kem
Aliases: CVE-2020-10776 GHSA-484q-784p-8m5h |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack. |
Affected by 9 other vulnerabilities. |
|
VCID-th5p-51pd-3ffg
Aliases: CVE-2020-14389 GHSA-c9x9-xv66-xp3v |
Improper privilege management in Keycloak A flaw was found in Keycloak, where it would permit a user with a view-profile role to manage the resources in the new account console. This flaw allows a user with a view-profile role to access and modify data for which the user does not have adequate permission. |
Affected by 9 other vulnerabilities. |
|
VCID-u5ba-kpd5-67bm
Aliases: CVE-2020-27838 GHSA-pcv5-m2wh-66j3 |
Keycloak discloses information without authentication A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this vulnerability is to data confidentiality. |
Affected by 2 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||