Search for packages
| purl | pkg:npm/keycloak-connect@11.0.2 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-14c3-xa9j-mbab
Aliases: CVE-2021-3513 GHSA-xv7h-95r7-595j |
Incorrect implementation of lockout feature in Keycloak A flaw was found in keycloak where a brute force attack is possible even when the permanent lockout feature is enabled. This is due to a wrong error message displayed when wrong credentials are entered. The highest threat from this vulnerability is to confidentiality. |
Affected by 10 other vulnerabilities. |
|
VCID-546n-kc1p-cyhm
Aliases: CVE-2021-20222 GHSA-2mq8-99q7-55wx |
Code injection in keycloak A flaw was found in keycloak. The new account console in keycloak can allow malicious code to be executed using the referrer URL. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. |
Affected by 10 other vulnerabilities. |
|
VCID-7j7q-m1zp-zfac
Aliases: CVE-2023-0091 GHSA-v436-q368-hvgg GMS-2023-37 |
Keycloak has lack of validation of access token on client registrations endpoint When a service account with the create-client or manage-clients role can use the client-registration endpoints to create/manage clients with an access token. If the access token is leaked, there is an option to revoke the specific token. However, the check is not performed in client-registration endpoints. | There are no reported fixed by versions. |
|
VCID-dxj3-8sk5-mfdy
Aliases: CVE-2022-3916 GHSA-97g8-xfvw-q4hg GMS-2022-8406 |
Insufficient Session Expiration A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user. |
Affected by 7 other vulnerabilities. |
|
VCID-e9qa-sy57-fqby
Aliases: CVE-2021-20202 GHSA-6xp6-fmc8-pmmr |
Temporary Directory Hijacking Vulnerability in Keycloak A flaw was found in keycloak. Directories can be created prior to the Java process creating them in the temporary directory, but with wider user permissions, allowing the attacker to have access to the contents that keycloak stores in this directory. The highest threat from this vulnerability is to data confidentiality and integrity. |
Affected by 10 other vulnerabilities. |
|
VCID-ebn8-cjqs-k3ad
Aliases: CVE-2022-4137 GHSA-9hhc-pj4w-w5rv GMS-2023-616 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') A reflected cross-site scripting (XSS) vulnerability was found in the 'oob' OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker. | There are no reported fixed by versions. |
|
VCID-engr-q4ge-53dc
Aliases: CVE-2023-6134 GHSA-cvg2-7c3j-g36j |
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the result of an incomplete fix for CVE-2020-10748. |
Affected by 1 other vulnerability. |
|
VCID-fknh-1j7d-jyeq
Aliases: CVE-2022-1466 GHSA-f32v-vf79-p29q |
Improper authorization in Keycloak Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted. |
Affected by 9 other vulnerabilities. |
|
VCID-gp47-t3vm-57an
Aliases: CVE-2022-1438 GHSA-w354-2f3c-qvg9 GMS-2023-529 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability. | There are no reported fixed by versions. |
|
VCID-jzn6-bzzf-nugp
Aliases: CVE-2023-48795 GHSA-45x7-px36-x8w8 |
Improper Validation of Integrity Check Value The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust. | There are no reported fixed by versions. |
|
VCID-mqgm-ezmw-h7ev
Aliases: CVE-2022-2237 GHSA-59fq-727j-hm3f GMS-2023-578 |
keycloak-connect contains Open redirect vulnerability in the Node.js adapter There is an Open Redirect vulnerability in the Node.js adapter when forwarding requests to Keycloak using `checkSSO` with query param `prompt=none`. |
Affected by 8 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
VCID-nhe2-8dtq-gqbf
Aliases: CVE-2023-6291 GHSA-mpwq-j3xf-7m5w |
URL Redirection to Untrusted Site ('Open Redirect') A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users. |
Affected by 1 other vulnerability. |
|
VCID-sk6p-vfu6-7kem
Aliases: CVE-2020-10776 GHSA-484q-784p-8m5h |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack. |
Affected by 15 other vulnerabilities. |
|
VCID-th5p-51pd-3ffg
Aliases: CVE-2020-14389 GHSA-c9x9-xv66-xp3v |
Improper privilege management in Keycloak A flaw was found in Keycloak, where it would permit a user with a view-profile role to manage the resources in the new account console. This flaw allows a user with a view-profile role to access and modify data for which the user does not have adequate permission. |
Affected by 15 other vulnerabilities. |
|
VCID-u5ba-kpd5-67bm
Aliases: CVE-2020-27838 GHSA-pcv5-m2wh-66j3 |
Keycloak discloses information without authentication A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this vulnerability is to data confidentiality. | There are no reported fixed by versions. |
|
VCID-xq2v-4txb-sueu
Aliases: CVE-2023-0105 GHSA-c7xw-p58w-h6fj |
Keycloak: Impersonation and lockout possible through incorrect handling of email trust Impersonation and lockout are possible due to email trust not being handled correctly in Keycloak. Since the verified state is not reset when the email changes, it is possible for users to shadow others with the same email and lock out or impersonate them. | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||