Search for packages
| purl | pkg:rpm/redhat/rh-sso7-keycloak@2.5.14-1.Final_redhat_1.1.jbcs?arch=el7 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-4bbz-11ta-ybft
Aliases: CVE-2014-9970 GHSA-r5c2-rxh2-f5h2 |
jasypt before 1.9.2 allows a timing attack against the password hash comparison. | There are no reported fixed by versions. |
|
VCID-9bn2-agpc-hfdz
Aliases: CVE-2017-12158 GHSA-v38p-mqq3-m6v5 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server. | There are no reported fixed by versions. |
|
VCID-f763-ps3s-b3ep
Aliases: CVE-2017-12159 GHSA-7fmw-85qm-h22p |
It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks. | There are no reported fixed by versions. |
|
VCID-tj32-sye9-gqfe
Aliases: CVE-2017-12197 GHSA-x9rg-q5fx-fx66 |
It was found that libpam4j up to and including 1.8 did not properly validate user accounts when authenticating. A user with a valid password for a disabled account would be able to bypass security restrictions and possibly access sensitive information. | There are no reported fixed by versions. |
|
VCID-w7ds-xt1u-9uf9
Aliases: CVE-2017-12160 GHSA-qc72-gfvw-76h7 |
Improper Authentication It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks. | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-01T14:31:51.555371+00:00 | RedHat Importer | Affected by | VCID-4bbz-11ta-ybft | https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-9970.json | 38.0.0 |
| 2026-04-01T14:27:24.677837+00:00 | RedHat Importer | Affected by | VCID-tj32-sye9-gqfe | https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-12197.json | 38.0.0 |
| 2026-04-01T14:27:22.223166+00:00 | RedHat Importer | Affected by | VCID-9bn2-agpc-hfdz | https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-12158.json | 38.0.0 |
| 2026-04-01T14:27:22.200182+00:00 | RedHat Importer | Affected by | VCID-w7ds-xt1u-9uf9 | https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-12160.json | 38.0.0 |
| 2026-04-01T14:27:22.177018+00:00 | RedHat Importer | Affected by | VCID-f763-ps3s-b3ep | https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-12159.json | 38.0.0 |