| 0 |
| url |
VCID-13dn-ke8h-67ez |
| vulnerability_id |
VCID-13dn-ke8h-67ez |
| summary |
Insufficient Session Expiration
A flaw was found in Keycloak. This flaw allows a malicious user that is currently logged-in, to see the personal information of a previously logged-out user in the account manager section. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@9.0.2 |
| purl |
pkg:maven/org.keycloak/keycloak-core@9.0.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 1 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 2 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 3 |
| vulnerability |
VCID-6gee-p7fr-1yhy |
|
| 4 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 5 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 6 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 7 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 8 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 9 |
| vulnerability |
VCID-9kte-cfz7-hqa3 |
|
| 10 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 11 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 12 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 13 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 14 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 15 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 16 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 17 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 18 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 19 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 20 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 21 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 22 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 23 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 24 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 25 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 26 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 27 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 28 |
| vulnerability |
VCID-wgzd-wv2e-pyhy |
|
| 29 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 30 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 31 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 32 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 33 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 34 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@9.0.2 |
|
|
| aliases |
CVE-2020-1724, GHSA-8xj2-47xw-q78c
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-13dn-ke8h-67ez |
|
| 1 |
| url |
VCID-2ba6-j1fs-2kfc |
| vulnerability_id |
VCID-2ba6-j1fs-2kfc |
| summary |
arbitrary code execution |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@11.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@11.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 1 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 2 |
| vulnerability |
VCID-6gee-p7fr-1yhy |
|
| 3 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 4 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 5 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 6 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 7 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 8 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 9 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 10 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 11 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 12 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 13 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 14 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 15 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 16 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 17 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 18 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 19 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 20 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 21 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 22 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 23 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 24 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 25 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 26 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 27 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 28 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 29 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 30 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 31 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@11.0.0 |
|
|
| aliases |
CVE-2020-1714, GHSA-m6mm-q862-j366
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2ba6-j1fs-2kfc |
|
| 2 |
| url |
VCID-2qmw-afpp-7qa8 |
| vulnerability_id |
VCID-2qmw-afpp-7qa8 |
| summary |
Improper Authentication
A flaw was found in the reset credential flow in all Keycloak versions before 8.0.0. This flaw allows an attacker to gain unauthorized access to the application. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@8.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@8.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13dn-ke8h-67ez |
|
| 1 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 2 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 3 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 4 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 5 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 6 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 7 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 8 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 9 |
| vulnerability |
VCID-9kte-cfz7-hqa3 |
|
| 10 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 11 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 12 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 13 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 14 |
| vulnerability |
VCID-cwqj-tnbj-3ubh |
|
| 15 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 16 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 17 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 18 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 19 |
| vulnerability |
VCID-h539-621j-d7bn |
|
| 20 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 21 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 22 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 23 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 24 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 25 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 26 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 27 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 28 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 29 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 30 |
| vulnerability |
VCID-wgzd-wv2e-pyhy |
|
| 31 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 32 |
| vulnerability |
VCID-wuh8-4akm-2uae |
|
| 33 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 34 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 35 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 36 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 37 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
| 38 |
| vulnerability |
VCID-zkxq-ejyr-8ba8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@8.0.0 |
|
|
| aliases |
CVE-2020-1718, GHSA-j229-2h63-rvh9
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
7.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2qmw-afpp-7qa8 |
|
| 3 |
| url |
VCID-361y-pegm-gqbs |
| vulnerability_id |
VCID-361y-pegm-gqbs |
| summary |
Improper authorization in Keycloak
Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2022-1466, GHSA-f32v-vf79-p29q
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-361y-pegm-gqbs |
|
| 4 |
| url |
VCID-3kg4-uvgq-5khf |
| vulnerability_id |
VCID-3kg4-uvgq-5khf |
| summary |
Server-Side Request Forgery (SSRF)
A flaw was found in Keycloak, where it is possible to force the server to call out an unverified URL using the `OIDC` parameter `request_uri`. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@12.0.2 |
| purl |
pkg:maven/org.keycloak/keycloak-core@12.0.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 1 |
| vulnerability |
VCID-6gee-p7fr-1yhy |
|
| 2 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 3 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 4 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 5 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 6 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 7 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 8 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 9 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 10 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 11 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 12 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 13 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 14 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 15 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 16 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 17 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 18 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 19 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 20 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 21 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 22 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 23 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 24 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 25 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 26 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 27 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@12.0.2 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 1 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 2 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 3 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 4 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 5 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 6 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 7 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 8 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 9 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 10 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 11 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 12 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 13 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 14 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 15 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 16 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 17 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 18 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 19 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 20 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@13.0.0 |
|
|
| aliases |
CVE-2020-10770, GHSA-jh7q-5mwf-qvhw
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3kg4-uvgq-5khf |
|
| 5 |
| url |
VCID-5zh6-37gp-pbas |
| vulnerability_id |
VCID-5zh6-37gp-pbas |
| summary |
Improper Authentication
The SAML broker consumer endpoint in Keycloak ignores expiration conditions on SAML assertions. An attacker can exploit this vulnerability to perform a replay attack. |
| references |
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-core@4.6.0.Final |
| purl |
pkg:maven/org.keycloak/keycloak-core@4.6.0.Final |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13dn-ke8h-67ez |
|
| 1 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 2 |
| vulnerability |
VCID-2qmw-afpp-7qa8 |
|
| 3 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 4 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 5 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 6 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 7 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 8 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 9 |
| vulnerability |
VCID-9719-srgk-33dh |
|
| 10 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 11 |
| vulnerability |
VCID-9kte-cfz7-hqa3 |
|
| 12 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 13 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 14 |
| vulnerability |
VCID-cg94-7n2h-7fac |
|
| 15 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 16 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 17 |
| vulnerability |
VCID-cwqj-tnbj-3ubh |
|
| 18 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 19 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 20 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 21 |
| vulnerability |
VCID-djda-aqxt-s3e9 |
|
| 22 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 23 |
| vulnerability |
VCID-h539-621j-d7bn |
|
| 24 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 25 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 26 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 27 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 28 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 29 |
| vulnerability |
VCID-m4fq-trvy-bub3 |
|
| 30 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 31 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 32 |
| vulnerability |
VCID-p1cj-f4de-1qc4 |
|
| 33 |
| vulnerability |
VCID-prsa-264j-mfah |
|
| 34 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 35 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 36 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 37 |
| vulnerability |
VCID-wgzd-wv2e-pyhy |
|
| 38 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 39 |
| vulnerability |
VCID-wuh8-4akm-2uae |
|
| 40 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 41 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 42 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 43 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 44 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
| 45 |
| vulnerability |
VCID-zfgf-9455-d3fe |
|
| 46 |
| vulnerability |
VCID-zkxq-ejyr-8ba8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@4.6.0.Final |
|
|
| aliases |
CVE-2018-14637, GHSA-gf2j-7qwg-4f5x
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5zh6-37gp-pbas |
|
| 6 |
| url |
VCID-7662-z35s-9qeq |
| vulnerability_id |
VCID-7662-z35s-9qeq |
| summary |
multiple issues |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 1 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 2 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 3 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 4 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 5 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 6 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 7 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 8 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 9 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 10 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 11 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 12 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 13 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 14 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 15 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 16 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 17 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 18 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 19 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 20 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@13.0.0 |
|
|
| aliases |
CVE-2021-3513, GHSA-xv7h-95r7-595j
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7662-z35s-9qeq |
|
| 7 |
| url |
VCID-7pje-w98s-9ueg |
| vulnerability_id |
VCID-7pje-w98s-9ueg |
| summary |
Keycloak Denial of Service vulnerability
A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited, an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values. The issue is fixed in Keycloak 24 with the introduction of the User Profile feature. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://bugzilla.redhat.com/show_bug.cgi?id=2254714 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 2 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
|
| 3 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-01T20:20:35Z/ |
|
|
| url |
https://bugzilla.redhat.com/show_bug.cgi?id=2254714 |
|
| 3 |
| reference_url |
https://github.com/keycloak/keycloak |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/keycloak/keycloak |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
| reference_url |
https://access.redhat.com/security/cve/CVE-2023-6841 |
| reference_id |
CVE-2023-6841 |
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 2 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
|
| 3 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-01T20:20:35Z/ |
|
|
| url |
https://access.redhat.com/security/cve/CVE-2023-6841 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2023-6841, GHSA-w97f-w3hq-36g2
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7pje-w98s-9ueg |
|
| 8 |
| url |
VCID-8jvu-59r6-rygw |
| vulnerability_id |
VCID-8jvu-59r6-rygw |
| summary |
Keycloak Open Redirect vulnerability
An open redirect vulnerability was found in Keycloak. A specially crafted URL can be constructed where the `referrer` and `referrer_uri` parameters are made to trick a user to visit a malicious webpage. A trusted URL can trick users and automation into believing that the URL is safe, when, in fact, it redirects to a malicious server. This issue can result in a victim inadvertently trusting the destination of the redirect, potentially leading to a successful phishing attack or other types of attacks.
Once a crafted URL is made, it can be sent to a Keycloak admin via email for example. This will trigger this vulnerability when the user visits the page and clicks the link. A malicious actor can use this to target users they know are Keycloak admins for further attacks. It may also be possible to bypass other domain-related security checks, such as supplying this as a OAuth redirect uri. The malicious actor can further obfuscate the `redirect_uri` using URL encoding, to hide the text of the actual malicious website domain. |
| references |
| 0 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:6502 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
|
| 2 |
| value |
4.8 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-09T19:13:21Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:6502 |
|
| 1 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:6503 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
|
| 2 |
| value |
4.8 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-09T19:13:21Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:6503 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://bugzilla.redhat.com/show_bug.cgi?id=2301875 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
|
| 2 |
| value |
4.8 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-09T19:13:21Z/ |
|
|
| url |
https://bugzilla.redhat.com/show_bug.cgi?id=2301875 |
|
| 5 |
| reference_url |
https://github.com/keycloak/keycloak |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
4.8 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/keycloak/keycloak |
|
| 6 |
|
| 7 |
|
| 8 |
| reference_url |
https://access.redhat.com/security/cve/CVE-2024-7260 |
| reference_id |
CVE-2024-7260 |
| reference_type |
|
| scores |
| 0 |
| value |
4.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
|
| 2 |
| value |
4.8 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-09T19:13:21Z/ |
|
|
| url |
https://access.redhat.com/security/cve/CVE-2024-7260 |
|
| 9 |
|
| 10 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-7260, GHSA-g4gc-rh26-m3p5
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8jvu-59r6-rygw |
|
| 9 |
|
| 10 |
| url |
VCID-9719-srgk-33dh |
| vulnerability_id |
VCID-9719-srgk-33dh |
| summary |
Improper Certificate Validation
The X.509 authenticator supports the verification of client certificates through the CRL, where the CRL list can be obtained from the URL provided in the certificate itself (CDP) or through the separately configured path. The CRL are often available over the network through unsecured protocols (`http` or `ldap`) and hence the caller should verify the signature and possibly the certification path. Keycloak currently does not validate signatures on CRL, which can result in a possibility of various attacks like man-in-the-middle. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@7.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@7.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13dn-ke8h-67ez |
|
| 1 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 2 |
| vulnerability |
VCID-2qmw-afpp-7qa8 |
|
| 3 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 4 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 5 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 6 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 7 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 8 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 9 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 10 |
| vulnerability |
VCID-9kte-cfz7-hqa3 |
|
| 11 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 12 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 13 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 14 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 15 |
| vulnerability |
VCID-cwqj-tnbj-3ubh |
|
| 16 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 17 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 18 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 19 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 20 |
| vulnerability |
VCID-h539-621j-d7bn |
|
| 21 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 22 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 23 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 24 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 25 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 26 |
| vulnerability |
VCID-m4fq-trvy-bub3 |
|
| 27 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 28 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 29 |
| vulnerability |
VCID-p1cj-f4de-1qc4 |
|
| 30 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 31 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 32 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 33 |
| vulnerability |
VCID-wgzd-wv2e-pyhy |
|
| 34 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 35 |
| vulnerability |
VCID-wuh8-4akm-2uae |
|
| 36 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 37 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 38 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 39 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 40 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
| 41 |
| vulnerability |
VCID-zfgf-9455-d3fe |
|
| 42 |
| vulnerability |
VCID-zkxq-ejyr-8ba8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@7.0.0 |
|
|
| aliases |
CVE-2019-3875, GHSA-38cg-gg9j-q9j9
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9719-srgk-33dh |
|
| 11 |
| url |
VCID-9cgx-nsyr-gyc3 |
| vulnerability_id |
VCID-9cgx-nsyr-gyc3 |
| summary |
Stored Cross-Site Scripting (XSS) in Keycloak via groups dropdown
### Summary
A Stored XSS vulnerability was reported in the Keycloak Security mailing list, affecting all the versions of Keycloak, including the latest release (16.0.1). The vulnerability allows a privileged attacker to execute malicious scripts in the admin console, abusing of the groups' dropdown functionality.
### Impact
Successful attacks of this vulnerability can result a privileged attacker to load a XSS script, and steal data from other users. The impact can be considered moderate to low, considering privileged credentials are required.
### References
- Please refer to the Keycloak Security mailing list for more information. |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-755v-r4x4-qf7m, GMS-2022-7509
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9cgx-nsyr-gyc3 |
|
| 12 |
| url |
VCID-9kte-cfz7-hqa3 |
| vulnerability_id |
VCID-9kte-cfz7-hqa3 |
| summary |
Improper Certificate Validation
A flaw was found in Keycloak in versions before 10.0.0, where it does not perform the TLS hostname verification while sending emails using the SMTP server. This flaw allows an attacker to perform a man-in-the-middle (MITM) attack. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@10.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@10.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 1 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 2 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 3 |
| vulnerability |
VCID-6gee-p7fr-1yhy |
|
| 4 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 5 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 6 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 7 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 8 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 9 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 10 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 11 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 12 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 13 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 14 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 15 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 16 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 17 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 18 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 19 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 20 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 21 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 22 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 23 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 24 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 25 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 26 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 27 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 28 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 29 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 30 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 31 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 32 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@10.0.0 |
|
|
| aliases |
CVE-2020-1758, GHSA-c597-f74m-jgc2
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9kte-cfz7-hqa3 |
|
| 13 |
| url |
VCID-9wq8-wqya-87dw |
| vulnerability_id |
VCID-9wq8-wqya-87dw |
| summary |
Execution with Unnecessary Privileges
A flaw was found in Keycloak where it is possible to update the user's metadata attributes using Account REST API. This flaw allows an attacker to change its own NameID attribute to impersonate the admin user for any particular application. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@12.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@12.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 1 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 2 |
| vulnerability |
VCID-6gee-p7fr-1yhy |
|
| 3 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 4 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 5 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 6 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 7 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 8 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 9 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 10 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 11 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 12 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 13 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 14 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 15 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 16 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 17 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 18 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 19 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 20 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 21 |
| vulnerability |
VCID-pu4g-rbu2-nbdb |
|
| 22 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 23 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 24 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 25 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 26 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 27 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 28 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 29 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@12.0.0 |
|
|
| aliases |
CVE-2020-27826, GHSA-m9cj-v55f-8x26
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9wq8-wqya-87dw |
|
| 14 |
| url |
VCID-asw1-xz83-tqb3 |
| vulnerability_id |
VCID-asw1-xz83-tqb3 |
| summary |
Information Exposure
It was found that while parsing the SAML messages the `StaxParserUtil` class of keycloak replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request `ID` field to be the chosen system property which could be obtained in the `InResponseTo` field in the response. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-core@2.5.1.Final |
| purl |
pkg:maven/org.keycloak/keycloak-core@2.5.1.Final |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13dn-ke8h-67ez |
|
| 1 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 2 |
| vulnerability |
VCID-2qmw-afpp-7qa8 |
|
| 3 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 4 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 5 |
| vulnerability |
VCID-5zh6-37gp-pbas |
|
| 6 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 7 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 8 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 9 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 10 |
| vulnerability |
VCID-9719-srgk-33dh |
|
| 11 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 12 |
| vulnerability |
VCID-9kte-cfz7-hqa3 |
|
| 13 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 14 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 15 |
| vulnerability |
VCID-cg94-7n2h-7fac |
|
| 16 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 17 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 18 |
| vulnerability |
VCID-cwqj-tnbj-3ubh |
|
| 19 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 20 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 21 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 22 |
| vulnerability |
VCID-djda-aqxt-s3e9 |
|
| 23 |
| vulnerability |
VCID-fh1s-1jqa-3bgp |
|
| 24 |
| vulnerability |
VCID-g9qz-99pv-9bgw |
|
| 25 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 26 |
| vulnerability |
VCID-h539-621j-d7bn |
|
| 27 |
| vulnerability |
VCID-hdx2-k9s5-zqff |
|
| 28 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 29 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 30 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 31 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 32 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 33 |
| vulnerability |
VCID-m4fq-trvy-bub3 |
|
| 34 |
| vulnerability |
VCID-mkkw-kxbq-7yhg |
|
| 35 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 36 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 37 |
| vulnerability |
VCID-p1cj-f4de-1qc4 |
|
| 38 |
| vulnerability |
VCID-prsa-264j-mfah |
|
| 39 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 40 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 41 |
| vulnerability |
VCID-vgbc-v44r-vugq |
|
| 42 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 43 |
| vulnerability |
VCID-wgzd-wv2e-pyhy |
|
| 44 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 45 |
| vulnerability |
VCID-wuh8-4akm-2uae |
|
| 46 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 47 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 48 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 49 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 50 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
| 51 |
| vulnerability |
VCID-zfgf-9455-d3fe |
|
| 52 |
| vulnerability |
VCID-zkxq-ejyr-8ba8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@2.5.1.Final |
|
|
| aliases |
CVE-2017-2582, GHSA-c77r-6f64-478q
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-asw1-xz83-tqb3 |
|
| 15 |
| url |
VCID-azxv-y5rj-vkg9 |
| vulnerability_id |
VCID-azxv-y5rj-vkg9 |
| summary |
Insufficient Session Expiration
A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
|
| fixed_packages |
|
| aliases |
CVE-2022-3916, GHSA-97g8-xfvw-q4hg, GMS-2022-8406
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-azxv-y5rj-vkg9 |
|
| 16 |
| url |
VCID-cg94-7n2h-7fac |
| vulnerability_id |
VCID-cg94-7n2h-7fac |
| summary |
Improper Input Validation
It was found that Keycloak's account console did not perform adequate header checks in some requests. An attacker could use this flaw to trick an authenticated user into performing operations via request from an untrusted domain. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@7.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@7.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13dn-ke8h-67ez |
|
| 1 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 2 |
| vulnerability |
VCID-2qmw-afpp-7qa8 |
|
| 3 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 4 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 5 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 6 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 7 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 8 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 9 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 10 |
| vulnerability |
VCID-9kte-cfz7-hqa3 |
|
| 11 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 12 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 13 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 14 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 15 |
| vulnerability |
VCID-cwqj-tnbj-3ubh |
|
| 16 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 17 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 18 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 19 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 20 |
| vulnerability |
VCID-h539-621j-d7bn |
|
| 21 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 22 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 23 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 24 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 25 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 26 |
| vulnerability |
VCID-m4fq-trvy-bub3 |
|
| 27 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 28 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 29 |
| vulnerability |
VCID-p1cj-f4de-1qc4 |
|
| 30 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 31 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 32 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 33 |
| vulnerability |
VCID-wgzd-wv2e-pyhy |
|
| 34 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 35 |
| vulnerability |
VCID-wuh8-4akm-2uae |
|
| 36 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 37 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 38 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 39 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 40 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
| 41 |
| vulnerability |
VCID-zfgf-9455-d3fe |
|
| 42 |
| vulnerability |
VCID-zkxq-ejyr-8ba8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@7.0.0 |
|
|
| aliases |
CVE-2019-10199, GHSA-p5xp-6vpf-jwvh
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-cg94-7n2h-7fac |
|
| 17 |
| url |
VCID-ch1b-adh9-skah |
| vulnerability_id |
VCID-ch1b-adh9-skah |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2022-1274, GHSA-m4fv-gm5m-4725, GMS-2023-528
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ch1b-adh9-skah |
|
| 18 |
|
| 19 |
| url |
VCID-cwqj-tnbj-3ubh |
| vulnerability_id |
VCID-cwqj-tnbj-3ubh |
| summary |
Information Exposure
A logged exception in the `HttpMethod` class may leak the password given as parameter. The highest threat from this vulnerability is to data confidentiality. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@9.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@9.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13dn-ke8h-67ez |
|
| 1 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 2 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 3 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 4 |
| vulnerability |
VCID-6gee-p7fr-1yhy |
|
| 5 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 6 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 7 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 8 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 9 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 10 |
| vulnerability |
VCID-9kte-cfz7-hqa3 |
|
| 11 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 12 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 13 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 14 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 15 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 16 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 17 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 18 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 19 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 20 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 21 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 22 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 23 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 24 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 25 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 26 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 27 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 28 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 29 |
| vulnerability |
VCID-wgzd-wv2e-pyhy |
|
| 30 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 31 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 32 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 33 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 34 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 35 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
| 36 |
| vulnerability |
VCID-zkxq-ejyr-8ba8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@9.0.0 |
|
|
| aliases |
CVE-2020-1698, GHSA-qgmm-f2qw-r95f
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-cwqj-tnbj-3ubh |
|
| 20 |
| url |
VCID-cxx9-9gwy-xyb6 |
| vulnerability_id |
VCID-cxx9-9gwy-xyb6 |
| summary |
certificate verification bypass |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@14.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@14.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 1 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 2 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 3 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 4 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 5 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 6 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 7 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 8 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 9 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 10 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 11 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 12 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 13 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 14 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 15 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 16 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 17 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 18 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 19 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@14.0.0 |
|
|
| aliases |
CVE-2020-35509, GHSA-rpj2-w6fr-79hc
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-cxx9-9gwy-xyb6 |
|
| 21 |
| url |
VCID-d5ev-gcfy-6ke1 |
| vulnerability_id |
VCID-d5ev-gcfy-6ke1 |
| summary |
Keycloak allows cross-site scripting (XSS)
A vulnerability was found in Keycloak. This issue may allow a privileged attacker to use a malicious payload as the permission while creating items (Resource and Permissions) from the admin console, leading to a stored cross-site scripting (XSS) attack. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2024-4028, GHSA-q4xq-445g-g6ch
|
| risk_score |
1.7 |
| exploitability |
0.5 |
| weighted_severity |
3.4 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-d5ev-gcfy-6ke1 |
|
| 22 |
| url |
VCID-dc8s-fqv5-1uhk |
| vulnerability_id |
VCID-dc8s-fqv5-1uhk |
| summary |
Improper Privilege Management
It was found that Keycloak would permit a user with only view-profile role to manage the resources in the new account console, allowing access and modification of data the user was not intended to have. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@12.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@12.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 1 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 2 |
| vulnerability |
VCID-6gee-p7fr-1yhy |
|
| 3 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 4 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 5 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 6 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 7 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 8 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 9 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 10 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 11 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 12 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 13 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 14 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 15 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 16 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 17 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 18 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 19 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 20 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 21 |
| vulnerability |
VCID-pu4g-rbu2-nbdb |
|
| 22 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 23 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 24 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 25 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 26 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 27 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 28 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 29 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@12.0.0 |
|
|
| aliases |
CVE-2020-14389, GHSA-c9x9-xv66-xp3v
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dc8s-fqv5-1uhk |
|
| 23 |
| url |
VCID-djda-aqxt-s3e9 |
| vulnerability_id |
VCID-djda-aqxt-s3e9 |
| summary |
Information Exposure
Keycloak allows the end user token (access or id token JWT) to be used as the session cookie for browser sessions for OIDC. As a result an attacker with access to service provider backend could hijack user's browser session. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@6.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@6.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13dn-ke8h-67ez |
|
| 1 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 2 |
| vulnerability |
VCID-2qmw-afpp-7qa8 |
|
| 3 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 4 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 5 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 6 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 7 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 8 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 9 |
| vulnerability |
VCID-9719-srgk-33dh |
|
| 10 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 11 |
| vulnerability |
VCID-9kte-cfz7-hqa3 |
|
| 12 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 13 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 14 |
| vulnerability |
VCID-cg94-7n2h-7fac |
|
| 15 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 16 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 17 |
| vulnerability |
VCID-cwqj-tnbj-3ubh |
|
| 18 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 19 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 20 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 21 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 22 |
| vulnerability |
VCID-h539-621j-d7bn |
|
| 23 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 24 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 25 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 26 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 27 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 28 |
| vulnerability |
VCID-m4fq-trvy-bub3 |
|
| 29 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 30 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 31 |
| vulnerability |
VCID-p1cj-f4de-1qc4 |
|
| 32 |
| vulnerability |
VCID-prsa-264j-mfah |
|
| 33 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 34 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 35 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 36 |
| vulnerability |
VCID-wgzd-wv2e-pyhy |
|
| 37 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 38 |
| vulnerability |
VCID-wuh8-4akm-2uae |
|
| 39 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 40 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 41 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 42 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 43 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
| 44 |
| vulnerability |
VCID-zfgf-9455-d3fe |
|
| 45 |
| vulnerability |
VCID-zkxq-ejyr-8ba8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@6.0.0 |
|
|
| aliases |
CVE-2019-3868, GHSA-gc52-xj6p-9pxp
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-djda-aqxt-s3e9 |
|
| 24 |
| url |
VCID-ek3f-9qnu-27gv |
| vulnerability_id |
VCID-ek3f-9qnu-27gv |
| summary |
Information Exposure
Keycloak has an implementation of HMAC verification for JWS tokens that uses a method that runs in non-constant time, potentially leaving the application vulnerable to timing attacks. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-core@2.5.1.Final |
| purl |
pkg:maven/org.keycloak/keycloak-core@2.5.1.Final |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13dn-ke8h-67ez |
|
| 1 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 2 |
| vulnerability |
VCID-2qmw-afpp-7qa8 |
|
| 3 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 4 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 5 |
| vulnerability |
VCID-5zh6-37gp-pbas |
|
| 6 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 7 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 8 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 9 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 10 |
| vulnerability |
VCID-9719-srgk-33dh |
|
| 11 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 12 |
| vulnerability |
VCID-9kte-cfz7-hqa3 |
|
| 13 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 14 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 15 |
| vulnerability |
VCID-cg94-7n2h-7fac |
|
| 16 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 17 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 18 |
| vulnerability |
VCID-cwqj-tnbj-3ubh |
|
| 19 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 20 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 21 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 22 |
| vulnerability |
VCID-djda-aqxt-s3e9 |
|
| 23 |
| vulnerability |
VCID-fh1s-1jqa-3bgp |
|
| 24 |
| vulnerability |
VCID-g9qz-99pv-9bgw |
|
| 25 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 26 |
| vulnerability |
VCID-h539-621j-d7bn |
|
| 27 |
| vulnerability |
VCID-hdx2-k9s5-zqff |
|
| 28 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 29 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 30 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 31 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 32 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 33 |
| vulnerability |
VCID-m4fq-trvy-bub3 |
|
| 34 |
| vulnerability |
VCID-mkkw-kxbq-7yhg |
|
| 35 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 36 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 37 |
| vulnerability |
VCID-p1cj-f4de-1qc4 |
|
| 38 |
| vulnerability |
VCID-prsa-264j-mfah |
|
| 39 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 40 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 41 |
| vulnerability |
VCID-vgbc-v44r-vugq |
|
| 42 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 43 |
| vulnerability |
VCID-wgzd-wv2e-pyhy |
|
| 44 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 45 |
| vulnerability |
VCID-wuh8-4akm-2uae |
|
| 46 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 47 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 48 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 49 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 50 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
| 51 |
| vulnerability |
VCID-zfgf-9455-d3fe |
|
| 52 |
| vulnerability |
VCID-zkxq-ejyr-8ba8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@2.5.1.Final |
|
|
| aliases |
CVE-2017-2585, GHSA-w6gv-3r3v-gwgj
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ek3f-9qnu-27gv |
|
| 25 |
| url |
VCID-fh1s-1jqa-3bgp |
| vulnerability_id |
VCID-fh1s-1jqa-3bgp |
| summary |
Improper Certificate Validation
It was found that SAML authentication in Keycloak incorrectly authenticated expired certificates. A malicious user could use this to access unauthorized data or possibly conduct further attacks. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-core@3.4.3.Final |
| purl |
pkg:maven/org.keycloak/keycloak-core@3.4.3.Final |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13dn-ke8h-67ez |
|
| 1 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 2 |
| vulnerability |
VCID-2qmw-afpp-7qa8 |
|
| 3 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 4 |
| vulnerability |
VCID-39am-wkz3-8ubu |
|
| 5 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 6 |
| vulnerability |
VCID-5zh6-37gp-pbas |
|
| 7 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 8 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 9 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 10 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 11 |
| vulnerability |
VCID-9719-srgk-33dh |
|
| 12 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 13 |
| vulnerability |
VCID-9kte-cfz7-hqa3 |
|
| 14 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 15 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 16 |
| vulnerability |
VCID-cg94-7n2h-7fac |
|
| 17 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 18 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 19 |
| vulnerability |
VCID-cwqj-tnbj-3ubh |
|
| 20 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 21 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 22 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 23 |
| vulnerability |
VCID-djda-aqxt-s3e9 |
|
| 24 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 25 |
| vulnerability |
VCID-h539-621j-d7bn |
|
| 26 |
| vulnerability |
VCID-hdx2-k9s5-zqff |
|
| 27 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 28 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 29 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 30 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 31 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 32 |
| vulnerability |
VCID-m4fq-trvy-bub3 |
|
| 33 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 34 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 35 |
| vulnerability |
VCID-p1cj-f4de-1qc4 |
|
| 36 |
| vulnerability |
VCID-prsa-264j-mfah |
|
| 37 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 38 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 39 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 40 |
| vulnerability |
VCID-wgzd-wv2e-pyhy |
|
| 41 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 42 |
| vulnerability |
VCID-wuh8-4akm-2uae |
|
| 43 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 44 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 45 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 46 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 47 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
| 48 |
| vulnerability |
VCID-zfgf-9455-d3fe |
|
| 49 |
| vulnerability |
VCID-zkxq-ejyr-8ba8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@3.4.3.Final |
|
|
| aliases |
CVE-2018-10894, GHSA-xvv8-8wh9-9fh2
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-fh1s-1jqa-3bgp |
|
| 26 |
| url |
VCID-g9qz-99pv-9bgw |
| vulnerability_id |
VCID-g9qz-99pv-9bgw |
| summary |
URL Redirection to Untrusted Site (Open Redirect)
The Redirect URL for both Login and Logout are not normalized in `org.keycloak.protocol.oidc.utils.RedirectUtils` before the redirect url is verified. This can lead to an Open Redirection attack. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@3.3.0.CR1 |
| purl |
pkg:maven/org.keycloak/keycloak-core@3.3.0.CR1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13dn-ke8h-67ez |
|
| 1 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 2 |
| vulnerability |
VCID-2qmw-afpp-7qa8 |
|
| 3 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 4 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 5 |
| vulnerability |
VCID-5zh6-37gp-pbas |
|
| 6 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 7 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 8 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 9 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 10 |
| vulnerability |
VCID-9719-srgk-33dh |
|
| 11 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 12 |
| vulnerability |
VCID-9kte-cfz7-hqa3 |
|
| 13 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 14 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 15 |
| vulnerability |
VCID-cg94-7n2h-7fac |
|
| 16 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 17 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 18 |
| vulnerability |
VCID-cwqj-tnbj-3ubh |
|
| 19 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 20 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 21 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 22 |
| vulnerability |
VCID-djda-aqxt-s3e9 |
|
| 23 |
| vulnerability |
VCID-fh1s-1jqa-3bgp |
|
| 24 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 25 |
| vulnerability |
VCID-h539-621j-d7bn |
|
| 26 |
| vulnerability |
VCID-hdx2-k9s5-zqff |
|
| 27 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 28 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 29 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 30 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 31 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 32 |
| vulnerability |
VCID-m4fq-trvy-bub3 |
|
| 33 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 34 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 35 |
| vulnerability |
VCID-p1cj-f4de-1qc4 |
|
| 36 |
| vulnerability |
VCID-prsa-264j-mfah |
|
| 37 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 38 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 39 |
| vulnerability |
VCID-vgbc-v44r-vugq |
|
| 40 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 41 |
| vulnerability |
VCID-wgzd-wv2e-pyhy |
|
| 42 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 43 |
| vulnerability |
VCID-wuh8-4akm-2uae |
|
| 44 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 45 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 46 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 47 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 48 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
| 49 |
| vulnerability |
VCID-zfgf-9455-d3fe |
|
| 50 |
| vulnerability |
VCID-zkxq-ejyr-8ba8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@3.3.0.CR1 |
|
|
| aliases |
CVE-2018-14658, GHSA-3qh2-mccc-q5m6
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-g9qz-99pv-9bgw |
|
| 27 |
| url |
VCID-gr2e-ntp4-9fdg |
| vulnerability_id |
VCID-gr2e-ntp4-9fdg |
| summary |
multiple issues |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 1 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 2 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 3 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 4 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 5 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 6 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 7 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 8 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 9 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 10 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 11 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 12 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 13 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 14 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 15 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 16 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 17 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 18 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 19 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 20 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@13.0.0 |
|
|
| aliases |
CVE-2020-1725, GHSA-p225-pc2x-4jpm
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gr2e-ntp4-9fdg |
|
| 28 |
| url |
VCID-h539-621j-d7bn |
| vulnerability_id |
VCID-h539-621j-d7bn |
| summary |
Use of Insufficiently Random Values
A flaw was found in all versions of the Keycloak operator, before version 8.0.2,(community only) where the operator generates a random admin password when installing Keycloak, however the password remains the same when deployed to the same OpenShift namespace. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@8.0.2 |
| purl |
pkg:maven/org.keycloak/keycloak-core@8.0.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13dn-ke8h-67ez |
|
| 1 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 2 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 3 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 4 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 5 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 6 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 7 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 8 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 9 |
| vulnerability |
VCID-9kte-cfz7-hqa3 |
|
| 10 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 11 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 12 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 13 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 14 |
| vulnerability |
VCID-cwqj-tnbj-3ubh |
|
| 15 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 16 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 17 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 18 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 19 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 20 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 21 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 22 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 23 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 24 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 25 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 26 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 27 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 28 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 29 |
| vulnerability |
VCID-wgzd-wv2e-pyhy |
|
| 30 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 31 |
| vulnerability |
VCID-wuh8-4akm-2uae |
|
| 32 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 33 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 34 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 35 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 36 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
| 37 |
| vulnerability |
VCID-zkxq-ejyr-8ba8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@8.0.2 |
|
|
| aliases |
CVE-2020-1731, GHSA-6pmv-7pr9-cgrj
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-h539-621j-d7bn |
|
| 29 |
| url |
VCID-hdx2-k9s5-zqff |
| vulnerability_id |
VCID-hdx2-k9s5-zqff |
| summary |
Loop with Unreachable Exit Condition ('Infinite Loop')
keycloak before version 4.0.0.final is vulnerable to a infinite loop in session replacement. A Keycloak cluster with multiple nodes could mishandle an expired session replacement and lead to an infinite loop. A malicious authenticated user could use this flaw to achieve Denial of Service on the server. |
| references |
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-core@4.0.0.Final |
| purl |
pkg:maven/org.keycloak/keycloak-core@4.0.0.Final |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13dn-ke8h-67ez |
|
| 1 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 2 |
| vulnerability |
VCID-2qmw-afpp-7qa8 |
|
| 3 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 4 |
| vulnerability |
VCID-39am-wkz3-8ubu |
|
| 5 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 6 |
| vulnerability |
VCID-5zh6-37gp-pbas |
|
| 7 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 8 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 9 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 10 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 11 |
| vulnerability |
VCID-9719-srgk-33dh |
|
| 12 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 13 |
| vulnerability |
VCID-9kte-cfz7-hqa3 |
|
| 14 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 15 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 16 |
| vulnerability |
VCID-cg94-7n2h-7fac |
|
| 17 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 18 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 19 |
| vulnerability |
VCID-cwqj-tnbj-3ubh |
|
| 20 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 21 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 22 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 23 |
| vulnerability |
VCID-djda-aqxt-s3e9 |
|
| 24 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 25 |
| vulnerability |
VCID-h539-621j-d7bn |
|
| 26 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 27 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 28 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 29 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 30 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 31 |
| vulnerability |
VCID-m4fq-trvy-bub3 |
|
| 32 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 33 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 34 |
| vulnerability |
VCID-p1cj-f4de-1qc4 |
|
| 35 |
| vulnerability |
VCID-prsa-264j-mfah |
|
| 36 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 37 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 38 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 39 |
| vulnerability |
VCID-wgzd-wv2e-pyhy |
|
| 40 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 41 |
| vulnerability |
VCID-wuh8-4akm-2uae |
|
| 42 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 43 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 44 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 45 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 46 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
| 47 |
| vulnerability |
VCID-zfgf-9455-d3fe |
|
| 48 |
| vulnerability |
VCID-zkxq-ejyr-8ba8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@4.0.0.Final |
|
|
| aliases |
CVE-2018-10912, GHSA-h7j7-pw3v-3v3x
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hdx2-k9s5-zqff |
|
| 30 |
|
| 31 |
|
| 32 |
| url |
VCID-jbzy-b52n-4kcx |
| vulnerability_id |
VCID-jbzy-b52n-4kcx |
| summary |
cross-site scripting |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@12.0.3 |
| purl |
pkg:maven/org.keycloak/keycloak-core@12.0.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 1 |
| vulnerability |
VCID-6gee-p7fr-1yhy |
|
| 2 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 3 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 4 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 5 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 6 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 7 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 8 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 9 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 10 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 11 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 12 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 13 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 14 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 15 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 16 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 17 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 18 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 19 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 20 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 21 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 22 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 23 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 24 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 25 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 26 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@12.0.3 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 1 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 2 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 3 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 4 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 5 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 6 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 7 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 8 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 9 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 10 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 11 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 12 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 13 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 14 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 15 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 16 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 17 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 18 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 19 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 20 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@13.0.0 |
|
|
| aliases |
CVE-2021-20195, GHSA-q6w2-89hq-hq27
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jbzy-b52n-4kcx |
|
| 33 |
| url |
VCID-jm25-gtrc-zuhh |
| vulnerability_id |
VCID-jm25-gtrc-zuhh |
| summary |
multiple issues |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 1 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 2 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 3 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 4 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 5 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 6 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 7 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 8 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 9 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 10 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 11 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 12 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 13 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 14 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 15 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 16 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 17 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 18 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 19 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 20 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@13.0.0 |
|
|
| aliases |
CVE-2021-20202, GHSA-6xp6-fmc8-pmmr
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jm25-gtrc-zuhh |
|
| 34 |
| url |
VCID-k6ct-rgvj-t3an |
| vulnerability_id |
VCID-k6ct-rgvj-t3an |
| summary |
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the result of an incomplete fix for CVE-2020-10748. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
|
| aliases |
CVE-2023-6134, GHSA-cvg2-7c3j-g36j
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-k6ct-rgvj-t3an |
|
| 35 |
| url |
VCID-m4fq-trvy-bub3 |
| vulnerability_id |
VCID-m4fq-trvy-bub3 |
| summary |
keycloak: keycloak uses hardcoded open dummy domain for new accounts enabling information disclosure |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@8.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@8.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13dn-ke8h-67ez |
|
| 1 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 2 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 3 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 4 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 5 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 6 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 7 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 8 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 9 |
| vulnerability |
VCID-9kte-cfz7-hqa3 |
|
| 10 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 11 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 12 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 13 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 14 |
| vulnerability |
VCID-cwqj-tnbj-3ubh |
|
| 15 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 16 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 17 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 18 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 19 |
| vulnerability |
VCID-h539-621j-d7bn |
|
| 20 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 21 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 22 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 23 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 24 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 25 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 26 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 27 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 28 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 29 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 30 |
| vulnerability |
VCID-wgzd-wv2e-pyhy |
|
| 31 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 32 |
| vulnerability |
VCID-wuh8-4akm-2uae |
|
| 33 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 34 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 35 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 36 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 37 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
| 38 |
| vulnerability |
VCID-zkxq-ejyr-8ba8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@8.0.0 |
|
|
| aliases |
CVE-2019-14837, GHSA-cf8f-w2c5-p5jr
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-m4fq-trvy-bub3 |
|
| 36 |
| url |
VCID-mbjc-wux2-y3gd |
| vulnerability_id |
VCID-mbjc-wux2-y3gd |
| summary |
JBoss KeyCloak Cross-site Scripting Vulnerability
If a JBoss Keycloak application was configured to use `*` as a permitted web origin in the Keycloak administrative console, crafted requests to the `login-status-iframe.html` endpoint could inject arbitrary Javascript into the generated HTML code via the "origin" query parameter, leading to a cross-site scripting (XSS) vulnerability. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@1.1.0.Beta1 |
| purl |
pkg:maven/org.keycloak/keycloak-core@1.1.0.Beta1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13dn-ke8h-67ez |
|
| 1 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 2 |
| vulnerability |
VCID-2qmw-afpp-7qa8 |
|
| 3 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 4 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 5 |
| vulnerability |
VCID-5zh6-37gp-pbas |
|
| 6 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 7 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 8 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 9 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 10 |
| vulnerability |
VCID-9719-srgk-33dh |
|
| 11 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 12 |
| vulnerability |
VCID-9kte-cfz7-hqa3 |
|
| 13 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 14 |
| vulnerability |
VCID-asw1-xz83-tqb3 |
|
| 15 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 16 |
| vulnerability |
VCID-cg94-7n2h-7fac |
|
| 17 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 18 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 19 |
| vulnerability |
VCID-cwqj-tnbj-3ubh |
|
| 20 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 21 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 22 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 23 |
| vulnerability |
VCID-djda-aqxt-s3e9 |
|
| 24 |
| vulnerability |
VCID-ek3f-9qnu-27gv |
|
| 25 |
| vulnerability |
VCID-fh1s-1jqa-3bgp |
|
| 26 |
| vulnerability |
VCID-g9qz-99pv-9bgw |
|
| 27 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 28 |
| vulnerability |
VCID-h539-621j-d7bn |
|
| 29 |
| vulnerability |
VCID-hdx2-k9s5-zqff |
|
| 30 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 31 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 32 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 33 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 34 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 35 |
| vulnerability |
VCID-m4fq-trvy-bub3 |
|
| 36 |
| vulnerability |
VCID-mkkw-kxbq-7yhg |
|
| 37 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 38 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 39 |
| vulnerability |
VCID-p1cj-f4de-1qc4 |
|
| 40 |
| vulnerability |
VCID-prsa-264j-mfah |
|
| 41 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 42 |
| vulnerability |
VCID-qtb9-7q3d-kqa2 |
|
| 43 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 44 |
| vulnerability |
VCID-u8yn-1j1n-gbhu |
|
| 45 |
| vulnerability |
VCID-vgbc-v44r-vugq |
|
| 46 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 47 |
| vulnerability |
VCID-wgzd-wv2e-pyhy |
|
| 48 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 49 |
| vulnerability |
VCID-wuh8-4akm-2uae |
|
| 50 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 51 |
| vulnerability |
VCID-x8bu-57yh-kbex |
|
| 52 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 53 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 54 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 55 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
| 56 |
| vulnerability |
VCID-zfgf-9455-d3fe |
|
| 57 |
| vulnerability |
VCID-zkxq-ejyr-8ba8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@1.1.0.Beta1 |
|
|
| aliases |
CVE-2014-3656, GHSA-px42-mr8m-cpgh
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-mbjc-wux2-y3gd |
|
| 37 |
| url |
VCID-mkkw-kxbq-7yhg |
| vulnerability_id |
VCID-mkkw-kxbq-7yhg |
| summary |
Loop with Unreachable Exit Condition (Infinite Loop)
When Keycloak receives a Logout request in the middle of the request, the `SAMLSloRequestParser.parse()` method ends in an infinite loop. An attacker could use this flaw to conduct denial of service attacks. |
| references |
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-core@2.5.5.Final |
| purl |
pkg:maven/org.keycloak/keycloak-core@2.5.5.Final |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13dn-ke8h-67ez |
|
| 1 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 2 |
| vulnerability |
VCID-2qmw-afpp-7qa8 |
|
| 3 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 4 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 5 |
| vulnerability |
VCID-5zh6-37gp-pbas |
|
| 6 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 7 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 8 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 9 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 10 |
| vulnerability |
VCID-9719-srgk-33dh |
|
| 11 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 12 |
| vulnerability |
VCID-9kte-cfz7-hqa3 |
|
| 13 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 14 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 15 |
| vulnerability |
VCID-cg94-7n2h-7fac |
|
| 16 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 17 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 18 |
| vulnerability |
VCID-cwqj-tnbj-3ubh |
|
| 19 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 20 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 21 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 22 |
| vulnerability |
VCID-djda-aqxt-s3e9 |
|
| 23 |
| vulnerability |
VCID-fh1s-1jqa-3bgp |
|
| 24 |
| vulnerability |
VCID-g9qz-99pv-9bgw |
|
| 25 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 26 |
| vulnerability |
VCID-h539-621j-d7bn |
|
| 27 |
| vulnerability |
VCID-hdx2-k9s5-zqff |
|
| 28 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 29 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 30 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 31 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 32 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 33 |
| vulnerability |
VCID-m4fq-trvy-bub3 |
|
| 34 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 35 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 36 |
| vulnerability |
VCID-p1cj-f4de-1qc4 |
|
| 37 |
| vulnerability |
VCID-prsa-264j-mfah |
|
| 38 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 39 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 40 |
| vulnerability |
VCID-vgbc-v44r-vugq |
|
| 41 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 42 |
| vulnerability |
VCID-wgzd-wv2e-pyhy |
|
| 43 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 44 |
| vulnerability |
VCID-wuh8-4akm-2uae |
|
| 45 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 46 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 47 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 48 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 49 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
| 50 |
| vulnerability |
VCID-zfgf-9455-d3fe |
|
| 51 |
| vulnerability |
VCID-zkxq-ejyr-8ba8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@2.5.5.Final |
|
|
| aliases |
CVE-2017-2646, GHSA-jc6q-27mw-p55w
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-mkkw-kxbq-7yhg |
|
| 38 |
| url |
VCID-msda-mepw-3qhe |
| vulnerability_id |
VCID-msda-mepw-3qhe |
| summary |
Uncontrolled Resource Consumption
JBoss KeyCloak before 1.0.3.Final allows remote attackers to cause a denial of service (resource consumption) via a large value in the size parameter to auth/qrcode, related to QR code generation. |
| references |
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-core@1.0.3.Final |
| purl |
pkg:maven/org.keycloak/keycloak-core@1.0.3.Final |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13dn-ke8h-67ez |
|
| 1 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 2 |
| vulnerability |
VCID-2qmw-afpp-7qa8 |
|
| 3 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 4 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 5 |
| vulnerability |
VCID-5zh6-37gp-pbas |
|
| 6 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 7 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 8 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 9 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 10 |
| vulnerability |
VCID-9719-srgk-33dh |
|
| 11 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 12 |
| vulnerability |
VCID-9kte-cfz7-hqa3 |
|
| 13 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 14 |
| vulnerability |
VCID-asw1-xz83-tqb3 |
|
| 15 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 16 |
| vulnerability |
VCID-cg94-7n2h-7fac |
|
| 17 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 18 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 19 |
| vulnerability |
VCID-cwqj-tnbj-3ubh |
|
| 20 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 21 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 22 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 23 |
| vulnerability |
VCID-djda-aqxt-s3e9 |
|
| 24 |
| vulnerability |
VCID-ek3f-9qnu-27gv |
|
| 25 |
| vulnerability |
VCID-fh1s-1jqa-3bgp |
|
| 26 |
| vulnerability |
VCID-g9qz-99pv-9bgw |
|
| 27 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 28 |
| vulnerability |
VCID-h539-621j-d7bn |
|
| 29 |
| vulnerability |
VCID-hdx2-k9s5-zqff |
|
| 30 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 31 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 32 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 33 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 34 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 35 |
| vulnerability |
VCID-m4fq-trvy-bub3 |
|
| 36 |
| vulnerability |
VCID-mbjc-wux2-y3gd |
|
| 37 |
| vulnerability |
VCID-mkkw-kxbq-7yhg |
|
| 38 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 39 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 40 |
| vulnerability |
VCID-p1cj-f4de-1qc4 |
|
| 41 |
| vulnerability |
VCID-prsa-264j-mfah |
|
| 42 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 43 |
| vulnerability |
VCID-qtb9-7q3d-kqa2 |
|
| 44 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 45 |
| vulnerability |
VCID-u8yn-1j1n-gbhu |
|
| 46 |
| vulnerability |
VCID-vgbc-v44r-vugq |
|
| 47 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 48 |
| vulnerability |
VCID-wgzd-wv2e-pyhy |
|
| 49 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 50 |
| vulnerability |
VCID-wuh8-4akm-2uae |
|
| 51 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 52 |
| vulnerability |
VCID-x8bu-57yh-kbex |
|
| 53 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 54 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 55 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 56 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
| 57 |
| vulnerability |
VCID-zfgf-9455-d3fe |
|
| 58 |
| vulnerability |
VCID-zkxq-ejyr-8ba8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@1.0.3.Final |
|
|
| aliases |
CVE-2014-3651, GHSA-r32r-3977-cgc3
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-msda-mepw-3qhe |
|
| 39 |
| url |
VCID-mwdj-rztg-pfgf |
| vulnerability_id |
VCID-mwdj-rztg-pfgf |
| summary |
keycloak-core: open redirect via "form_post.jwt" JARM response mode
An incomplete fix was found in Keycloak Core patch. An attacker can steal authorization codes or tokens from clients using a wildcard in the JARM response mode "form_post.jwt". It is observed that changing the response_mode parameter in the original proof of concept from "form_post" to "form_post.jwt" can bypass the security patch implemented to address CVE-2023-6134. |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-9vm7-v8wj-3fqw, GMS-2024-51
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-mwdj-rztg-pfgf |
|
| 40 |
|
| 41 |
| url |
VCID-p1cj-f4de-1qc4 |
| vulnerability_id |
VCID-p1cj-f4de-1qc4 |
| summary |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
A flaw was found in the Keycloak admin console, where the realm management interface permits a script to be set via the policy. This flaw allows an attacker with authenticated user and realm management permissions to configure a malicious script to trigger and execute arbitrary code with the permissions of the application user. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@8.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@8.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13dn-ke8h-67ez |
|
| 1 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 2 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 3 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 4 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 5 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 6 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 7 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 8 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 9 |
| vulnerability |
VCID-9kte-cfz7-hqa3 |
|
| 10 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 11 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 12 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 13 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 14 |
| vulnerability |
VCID-cwqj-tnbj-3ubh |
|
| 15 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 16 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 17 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 18 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 19 |
| vulnerability |
VCID-h539-621j-d7bn |
|
| 20 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 21 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 22 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 23 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 24 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 25 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 26 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 27 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 28 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 29 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 30 |
| vulnerability |
VCID-wgzd-wv2e-pyhy |
|
| 31 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 32 |
| vulnerability |
VCID-wuh8-4akm-2uae |
|
| 33 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 34 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 35 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 36 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 37 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
| 38 |
| vulnerability |
VCID-zkxq-ejyr-8ba8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@8.0.0 |
|
|
| aliases |
CVE-2019-10170, GHSA-7m27-3587-83xf
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-p1cj-f4de-1qc4 |
|
| 42 |
| url |
VCID-prsa-264j-mfah |
| vulnerability_id |
VCID-prsa-264j-mfah |
| summary |
Improper Authentication
It was found that Keycloak's SAML broker did not verify missing message signatures. If an attacker modifies the SAML Response and removes the `<Signature>` sections, the message is still accepted, and the message can be modified. An attacker could use this flaw to impersonate other users and gain access to sensitive information. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@7.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@7.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13dn-ke8h-67ez |
|
| 1 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 2 |
| vulnerability |
VCID-2qmw-afpp-7qa8 |
|
| 3 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 4 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 5 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 6 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 7 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 8 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 9 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 10 |
| vulnerability |
VCID-9kte-cfz7-hqa3 |
|
| 11 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 12 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 13 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 14 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 15 |
| vulnerability |
VCID-cwqj-tnbj-3ubh |
|
| 16 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 17 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 18 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 19 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 20 |
| vulnerability |
VCID-h539-621j-d7bn |
|
| 21 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 22 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 23 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 24 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 25 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 26 |
| vulnerability |
VCID-m4fq-trvy-bub3 |
|
| 27 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 28 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 29 |
| vulnerability |
VCID-p1cj-f4de-1qc4 |
|
| 30 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 31 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 32 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 33 |
| vulnerability |
VCID-wgzd-wv2e-pyhy |
|
| 34 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 35 |
| vulnerability |
VCID-wuh8-4akm-2uae |
|
| 36 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 37 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 38 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 39 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 40 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
| 41 |
| vulnerability |
VCID-zfgf-9455-d3fe |
|
| 42 |
| vulnerability |
VCID-zkxq-ejyr-8ba8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@7.0.0 |
|
|
| aliases |
CVE-2019-10201, GHSA-4fgq-gq9g-3rw7
|
| risk_score |
3.6 |
| exploitability |
0.5 |
| weighted_severity |
7.3 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-prsa-264j-mfah |
|
| 43 |
|
| 44 |
| url |
VCID-qtb9-7q3d-kqa2 |
| vulnerability_id |
VCID-qtb9-7q3d-kqa2 |
| summary |
Moderate severity vulnerability that affects org.keycloak:keycloak-core
Withdrawn: Duplicate of CVE-2017-12161 / GHSA-959q-32g8-vvp7 |
| references |
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-core@2.0.0.Final |
| purl |
pkg:maven/org.keycloak/keycloak-core@2.0.0.Final |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13dn-ke8h-67ez |
|
| 1 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 2 |
| vulnerability |
VCID-2qmw-afpp-7qa8 |
|
| 3 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 4 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 5 |
| vulnerability |
VCID-5zh6-37gp-pbas |
|
| 6 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 7 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 8 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 9 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 10 |
| vulnerability |
VCID-9719-srgk-33dh |
|
| 11 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 12 |
| vulnerability |
VCID-9kte-cfz7-hqa3 |
|
| 13 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 14 |
| vulnerability |
VCID-asw1-xz83-tqb3 |
|
| 15 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 16 |
| vulnerability |
VCID-cg94-7n2h-7fac |
|
| 17 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 18 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 19 |
| vulnerability |
VCID-cwqj-tnbj-3ubh |
|
| 20 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 21 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 22 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 23 |
| vulnerability |
VCID-djda-aqxt-s3e9 |
|
| 24 |
| vulnerability |
VCID-ek3f-9qnu-27gv |
|
| 25 |
| vulnerability |
VCID-fh1s-1jqa-3bgp |
|
| 26 |
| vulnerability |
VCID-g9qz-99pv-9bgw |
|
| 27 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 28 |
| vulnerability |
VCID-h539-621j-d7bn |
|
| 29 |
| vulnerability |
VCID-hdx2-k9s5-zqff |
|
| 30 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 31 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 32 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 33 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 34 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 35 |
| vulnerability |
VCID-m4fq-trvy-bub3 |
|
| 36 |
| vulnerability |
VCID-mkkw-kxbq-7yhg |
|
| 37 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 38 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 39 |
| vulnerability |
VCID-p1cj-f4de-1qc4 |
|
| 40 |
| vulnerability |
VCID-prsa-264j-mfah |
|
| 41 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 42 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 43 |
| vulnerability |
VCID-u8yn-1j1n-gbhu |
|
| 44 |
| vulnerability |
VCID-vgbc-v44r-vugq |
|
| 45 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 46 |
| vulnerability |
VCID-wgzd-wv2e-pyhy |
|
| 47 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 48 |
| vulnerability |
VCID-wuh8-4akm-2uae |
|
| 49 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 50 |
| vulnerability |
VCID-x8bu-57yh-kbex |
|
| 51 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 52 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 53 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 54 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
| 55 |
| vulnerability |
VCID-zfgf-9455-d3fe |
|
| 56 |
| vulnerability |
VCID-zkxq-ejyr-8ba8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@2.0.0.Final |
|
|
| aliases |
CVE-2017-1000500, GHSA-qgm9-232x-hwpx
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qtb9-7q3d-kqa2 |
|
| 45 |
| url |
VCID-rhrz-f6tf-tkhu |
| vulnerability_id |
VCID-rhrz-f6tf-tkhu |
| summary |
Duplicate Advisory: Keycloak Uses a Key Past its Expiration Date
# Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-xmmm-jw76-q7vg. This link is maintained to preserve external references.
# Original Description
A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute.
A one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/keycloak/keycloak |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/keycloak/keycloak |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
|
| aliases |
GHSA-57rh-gr4v-j5f6
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-rhrz-f6tf-tkhu |
|
| 46 |
| url |
VCID-u8yn-1j1n-gbhu |
| vulnerability_id |
VCID-u8yn-1j1n-gbhu |
| summary |
Moderate severity vulnerability that affects org.keycloak:keycloak-core
Red Hat Keycloak before version 2.4.0 did not correctly check permissions when handling service account user deletion requests sent to the rest server. An attacker with service account authentication could use this flaw to bypass normal permissions and delete users in a separate realm. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-core@2.4.0.Final |
| purl |
pkg:maven/org.keycloak/keycloak-core@2.4.0.Final |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13dn-ke8h-67ez |
|
| 1 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 2 |
| vulnerability |
VCID-2qmw-afpp-7qa8 |
|
| 3 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 4 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 5 |
| vulnerability |
VCID-5zh6-37gp-pbas |
|
| 6 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 7 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 8 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 9 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 10 |
| vulnerability |
VCID-9719-srgk-33dh |
|
| 11 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 12 |
| vulnerability |
VCID-9kte-cfz7-hqa3 |
|
| 13 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 14 |
| vulnerability |
VCID-asw1-xz83-tqb3 |
|
| 15 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 16 |
| vulnerability |
VCID-cg94-7n2h-7fac |
|
| 17 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 18 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 19 |
| vulnerability |
VCID-cwqj-tnbj-3ubh |
|
| 20 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 21 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 22 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 23 |
| vulnerability |
VCID-djda-aqxt-s3e9 |
|
| 24 |
| vulnerability |
VCID-ek3f-9qnu-27gv |
|
| 25 |
| vulnerability |
VCID-fh1s-1jqa-3bgp |
|
| 26 |
| vulnerability |
VCID-g9qz-99pv-9bgw |
|
| 27 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 28 |
| vulnerability |
VCID-h539-621j-d7bn |
|
| 29 |
| vulnerability |
VCID-hdx2-k9s5-zqff |
|
| 30 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 31 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 32 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 33 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 34 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 35 |
| vulnerability |
VCID-m4fq-trvy-bub3 |
|
| 36 |
| vulnerability |
VCID-mkkw-kxbq-7yhg |
|
| 37 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 38 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 39 |
| vulnerability |
VCID-p1cj-f4de-1qc4 |
|
| 40 |
| vulnerability |
VCID-prsa-264j-mfah |
|
| 41 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 42 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 43 |
| vulnerability |
VCID-vgbc-v44r-vugq |
|
| 44 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 45 |
| vulnerability |
VCID-wgzd-wv2e-pyhy |
|
| 46 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 47 |
| vulnerability |
VCID-wuh8-4akm-2uae |
|
| 48 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 49 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 50 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 51 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 52 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
| 53 |
| vulnerability |
VCID-zfgf-9455-d3fe |
|
| 54 |
| vulnerability |
VCID-zkxq-ejyr-8ba8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@2.4.0.Final |
|
|
| aliases |
CVE-2016-8629, GHSA-778x-2mqv-w6xw
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-u8yn-1j1n-gbhu |
|
| 47 |
| url |
VCID-vgbc-v44r-vugq |
| vulnerability_id |
VCID-vgbc-v44r-vugq |
| summary |
Weak Password Recovery Mechanism for Forgotten Password
It was found that keycloak before 3.4.2 final would permit misuse of a client-side /etc/hosts entry to spoof a URL in a password reset request. An attacker could use this flaw to craft a malicious password reset request and gain a valid reset token, leading to information disclosure or further attacks. |
| references |
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-core@3.4.2.Final |
| purl |
pkg:maven/org.keycloak/keycloak-core@3.4.2.Final |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13dn-ke8h-67ez |
|
| 1 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 2 |
| vulnerability |
VCID-2qmw-afpp-7qa8 |
|
| 3 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 4 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 5 |
| vulnerability |
VCID-5zh6-37gp-pbas |
|
| 6 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 7 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 8 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 9 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 10 |
| vulnerability |
VCID-9719-srgk-33dh |
|
| 11 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 12 |
| vulnerability |
VCID-9kte-cfz7-hqa3 |
|
| 13 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 14 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 15 |
| vulnerability |
VCID-cg94-7n2h-7fac |
|
| 16 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 17 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 18 |
| vulnerability |
VCID-cwqj-tnbj-3ubh |
|
| 19 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 20 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 21 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 22 |
| vulnerability |
VCID-djda-aqxt-s3e9 |
|
| 23 |
| vulnerability |
VCID-fh1s-1jqa-3bgp |
|
| 24 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 25 |
| vulnerability |
VCID-h539-621j-d7bn |
|
| 26 |
| vulnerability |
VCID-hdx2-k9s5-zqff |
|
| 27 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 28 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 29 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 30 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 31 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 32 |
| vulnerability |
VCID-m4fq-trvy-bub3 |
|
| 33 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 34 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 35 |
| vulnerability |
VCID-p1cj-f4de-1qc4 |
|
| 36 |
| vulnerability |
VCID-prsa-264j-mfah |
|
| 37 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 38 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 39 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 40 |
| vulnerability |
VCID-wgzd-wv2e-pyhy |
|
| 41 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 42 |
| vulnerability |
VCID-wuh8-4akm-2uae |
|
| 43 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 44 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 45 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 46 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 47 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
| 48 |
| vulnerability |
VCID-zfgf-9455-d3fe |
|
| 49 |
| vulnerability |
VCID-zkxq-ejyr-8ba8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@3.4.2.Final |
|
|
| aliases |
CVE-2017-12161, GHSA-959q-32g8-vvp7
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vgbc-v44r-vugq |
|
| 48 |
| url |
VCID-vs8q-ywf1-3qa2 |
| vulnerability_id |
VCID-vs8q-ywf1-3qa2 |
| summary |
keycloak-services: ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@15.1.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@15.1.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 1 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 2 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 3 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 4 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 5 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 6 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 7 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 8 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 9 |
| vulnerability |
VCID-dvk9-qsq9-4uc3 |
|
| 10 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 11 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 12 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 13 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 14 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 15 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 16 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 17 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 18 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@15.1.0 |
|
|
| aliases |
CVE-2021-3856, GHSA-3w4v-rvc4-2xpw
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vs8q-ywf1-3qa2 |
|
| 49 |
| url |
VCID-wgzd-wv2e-pyhy |
| vulnerability_id |
VCID-wgzd-wv2e-pyhy |
| summary |
Improper Restriction of Rendered UI Layers or Frames
A vulnerability was found in all versions of Keycloak where the pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses. This does not directly lead to a security issue, yet it might aid attackers in their efforts to exploit other problems. The flaws unnecessarily make the servers more prone to Clickjacking, channel downgrade attacks and other similar client-based attack vectors. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@10.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@10.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 1 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 2 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 3 |
| vulnerability |
VCID-6gee-p7fr-1yhy |
|
| 4 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 5 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 6 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 7 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 8 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 9 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 10 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 11 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 12 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 13 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 14 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 15 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 16 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 17 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 18 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 19 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 20 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 21 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 22 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 23 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 24 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 25 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 26 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 27 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 28 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 29 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 30 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 31 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 32 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@10.0.0 |
|
|
| aliases |
CVE-2020-1728, GHSA-3gg7-9q2x-79fc
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wgzd-wv2e-pyhy |
|
| 50 |
| url |
VCID-wt2c-cyu2-kbgm |
| vulnerability_id |
VCID-wt2c-cyu2-kbgm |
| summary |
multiple issues |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 1 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 2 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 3 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 4 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 5 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 6 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 7 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 8 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 9 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 10 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 11 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 12 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 13 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 14 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 15 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 16 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 17 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 18 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 19 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 20 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@13.0.0 |
|
|
| aliases |
CVE-2020-27838, GHSA-pcv5-m2wh-66j3
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wt2c-cyu2-kbgm |
|
| 51 |
| url |
VCID-wuh8-4akm-2uae |
| vulnerability_id |
VCID-wuh8-4akm-2uae |
| summary |
Cross-site Scripting
In Keycloak, links to external applications (Application Links) in the admin console are not validated properly and could allow Stored XSS attacks. An authed malicious user could create URLs to trick users in other realms, and possibly conduct further attacks. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@9.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@9.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13dn-ke8h-67ez |
|
| 1 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 2 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 3 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 4 |
| vulnerability |
VCID-6gee-p7fr-1yhy |
|
| 5 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 6 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 7 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 8 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 9 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 10 |
| vulnerability |
VCID-9kte-cfz7-hqa3 |
|
| 11 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 12 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 13 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 14 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 15 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 16 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 17 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 18 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 19 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 20 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 21 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 22 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 23 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 24 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 25 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 26 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 27 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 28 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 29 |
| vulnerability |
VCID-wgzd-wv2e-pyhy |
|
| 30 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 31 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 32 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 33 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 34 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 35 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
| 36 |
| vulnerability |
VCID-zkxq-ejyr-8ba8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@9.0.0 |
|
|
| aliases |
CVE-2020-1697, GHSA-8vf3-4w62-m3pq
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wuh8-4akm-2uae |
|
| 52 |
| url |
VCID-x4z9-b3qr-fybk |
| vulnerability_id |
VCID-x4z9-b3qr-fybk |
| summary |
Keycloak mTLS Authentication Bypass via Reverse Proxy TLS Termination
A vulnerability was found in Keycloak. Deployments of Keycloak with a reverse proxy not using pass-through termination of TLS, with mTLS enabled, are affected. This issue may allow an attacker on the local network to authenticate as any user or client that leverages mTLS as the authentication mechanism. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2024-10039, GHSA-93ww-43rr-79v3
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-x4z9-b3qr-fybk |
|
| 53 |
| url |
VCID-x8bu-57yh-kbex |
| vulnerability_id |
VCID-x8bu-57yh-kbex |
| summary |
Improper Authentication
It was found that the keycloak before 2.3.0 did not implement authentication flow correctly. An attacker could use this flaw to construct a phishing URL, from which he could hijack the user's session. This could lead to information disclosure, or permit further possible attacks. |
| references |
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-core@2.3.0.Final |
| purl |
pkg:maven/org.keycloak/keycloak-core@2.3.0.Final |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13dn-ke8h-67ez |
|
| 1 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 2 |
| vulnerability |
VCID-2qmw-afpp-7qa8 |
|
| 3 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 4 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 5 |
| vulnerability |
VCID-5zh6-37gp-pbas |
|
| 6 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 7 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 8 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 9 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 10 |
| vulnerability |
VCID-9719-srgk-33dh |
|
| 11 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 12 |
| vulnerability |
VCID-9kte-cfz7-hqa3 |
|
| 13 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 14 |
| vulnerability |
VCID-asw1-xz83-tqb3 |
|
| 15 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 16 |
| vulnerability |
VCID-cg94-7n2h-7fac |
|
| 17 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 18 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 19 |
| vulnerability |
VCID-cwqj-tnbj-3ubh |
|
| 20 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 21 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 22 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 23 |
| vulnerability |
VCID-djda-aqxt-s3e9 |
|
| 24 |
| vulnerability |
VCID-ek3f-9qnu-27gv |
|
| 25 |
| vulnerability |
VCID-fh1s-1jqa-3bgp |
|
| 26 |
| vulnerability |
VCID-g9qz-99pv-9bgw |
|
| 27 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 28 |
| vulnerability |
VCID-h539-621j-d7bn |
|
| 29 |
| vulnerability |
VCID-hdx2-k9s5-zqff |
|
| 30 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 31 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 32 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 33 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 34 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 35 |
| vulnerability |
VCID-m4fq-trvy-bub3 |
|
| 36 |
| vulnerability |
VCID-mkkw-kxbq-7yhg |
|
| 37 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 38 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 39 |
| vulnerability |
VCID-p1cj-f4de-1qc4 |
|
| 40 |
| vulnerability |
VCID-prsa-264j-mfah |
|
| 41 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 42 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 43 |
| vulnerability |
VCID-u8yn-1j1n-gbhu |
|
| 44 |
| vulnerability |
VCID-vgbc-v44r-vugq |
|
| 45 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 46 |
| vulnerability |
VCID-wgzd-wv2e-pyhy |
|
| 47 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 48 |
| vulnerability |
VCID-wuh8-4akm-2uae |
|
| 49 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 50 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 51 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 52 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 53 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
| 54 |
| vulnerability |
VCID-zfgf-9455-d3fe |
|
| 55 |
| vulnerability |
VCID-zkxq-ejyr-8ba8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@2.3.0.Final |
|
|
| aliases |
CVE-2016-8609, GHSA-95m6-mjh3-58gm
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-x8bu-57yh-kbex |
|
| 54 |
| url |
VCID-xbkp-kjgd-fqcx |
| vulnerability_id |
VCID-xbkp-kjgd-fqcx |
| summary |
URL Redirection to Untrusted Site ('Open Redirect')
A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
|
| fixed_packages |
|
| aliases |
CVE-2023-6291, GHSA-mpwq-j3xf-7m5w
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xbkp-kjgd-fqcx |
|
| 55 |
| url |
VCID-xvvs-ttw1-wkbt |
| vulnerability_id |
VCID-xvvs-ttw1-wkbt |
| summary |
Keycloaks's One Time Passcode (OTP) is valid longer than expiration timeSeverity
A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute. A one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid. |
| references |
| 0 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:6502 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-09T19:08:16Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:6502 |
|
| 1 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:6503 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-09T19:08:16Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:6503 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://bugzilla.redhat.com/show_bug.cgi?id=2301876 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-09T19:08:16Z/ |
|
|
| url |
https://bugzilla.redhat.com/show_bug.cgi?id=2301876 |
|
| 5 |
| reference_url |
https://github.com/keycloak/keycloak |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/keycloak/keycloak |
|
| 6 |
|
| 7 |
|
| 8 |
| reference_url |
https://access.redhat.com/security/cve/CVE-2024-7318 |
| reference_id |
CVE-2024-7318 |
| reference_type |
|
| scores |
| 0 |
| value |
4.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-09T19:08:16Z/ |
|
|
| url |
https://access.redhat.com/security/cve/CVE-2024-7318 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-7318, GHSA-xmmm-jw76-q7vg
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xvvs-ttw1-wkbt |
|
| 56 |
| url |
VCID-y9de-4w6u-abfa |
| vulnerability_id |
VCID-y9de-4w6u-abfa |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@12.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@12.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 1 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 2 |
| vulnerability |
VCID-6gee-p7fr-1yhy |
|
| 3 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 4 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 5 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 6 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 7 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 8 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 9 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 10 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 11 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 12 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 13 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 14 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 15 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 16 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 17 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 18 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 19 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 20 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 21 |
| vulnerability |
VCID-pu4g-rbu2-nbdb |
|
| 22 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 23 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 24 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 25 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 26 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 27 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 28 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 29 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@12.0.0 |
|
|
| aliases |
CVE-2020-10776, GHSA-484q-784p-8m5h
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-y9de-4w6u-abfa |
|
| 57 |
| url |
VCID-zabp-1j4k-9bf8 |
| vulnerability_id |
VCID-zabp-1j4k-9bf8 |
| summary |
Keycloak vulnerable to untrusted certificate validation
A flaw was found in Keycloak. This flaw depends on a non-default configuration "Revalidate Client Certificate" to be enabled and the reverse proxy is not validating the certificate before Keycloak. Using this method an attacker may choose the certificate which will be validated by the server. If this happens and the KC_SPI_TRUSTSTORE_FILE_FILE variable is missing/misconfigured, any trustfile may be accepted with the logging information of "Cannot validate client certificate trust: Truststore not available". This may not impact availability as the attacker would have no access to the server, but consumer applications Integrity or Confidentiality may be impacted considering a possible access to them. Considering the environment is correctly set to use "Revalidate Client Certificate" this flaw is avoidable. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2023-1664, GHSA-5cc8-pgp5-7mpm, GHSA-c892-cwq6-qrqf
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-zabp-1j4k-9bf8 |
|
| 58 |
| url |
VCID-zfgf-9455-d3fe |
| vulnerability_id |
VCID-zfgf-9455-d3fe |
| summary |
Information Exposure
It was found that keycloak exposes internal adapter endpoints in `org.keycloak.constants.AdapterConstants`, which can be invoked via a specially-crafted URL. This vulnerability could allow an attacker to access unauthorized information. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@8.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@8.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13dn-ke8h-67ez |
|
| 1 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 2 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 3 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 4 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 5 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 6 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 7 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 8 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 9 |
| vulnerability |
VCID-9kte-cfz7-hqa3 |
|
| 10 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 11 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 12 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 13 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 14 |
| vulnerability |
VCID-cwqj-tnbj-3ubh |
|
| 15 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 16 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 17 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 18 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 19 |
| vulnerability |
VCID-h539-621j-d7bn |
|
| 20 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 21 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 22 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 23 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 24 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 25 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 26 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 27 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 28 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 29 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 30 |
| vulnerability |
VCID-wgzd-wv2e-pyhy |
|
| 31 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 32 |
| vulnerability |
VCID-wuh8-4akm-2uae |
|
| 33 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 34 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 35 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 36 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 37 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
| 38 |
| vulnerability |
VCID-zkxq-ejyr-8ba8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@8.0.0 |
|
|
| aliases |
CVE-2019-14820, GHSA-xfqh-7356-vqjj
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-zfgf-9455-d3fe |
|
| 59 |
| url |
VCID-zkxq-ejyr-8ba8 |
| vulnerability_id |
VCID-zkxq-ejyr-8ba8 |
| summary |
Improper Handling of Exceptional Conditions
A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle this events. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-core@9.0.2 |
| purl |
pkg:maven/org.keycloak/keycloak-core@9.0.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 1 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 2 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 3 |
| vulnerability |
VCID-6gee-p7fr-1yhy |
|
| 4 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 5 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 6 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 7 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 8 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 9 |
| vulnerability |
VCID-9kte-cfz7-hqa3 |
|
| 10 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 11 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 12 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 13 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 14 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 15 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 16 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 17 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 18 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 19 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 20 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 21 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 22 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 23 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 24 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 25 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 26 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 27 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 28 |
| vulnerability |
VCID-wgzd-wv2e-pyhy |
|
| 29 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 30 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 31 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 32 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 33 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 34 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@9.0.2 |
|
|
| aliases |
CVE-2020-1744, GHSA-4gf2-xv97-63m2
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-zkxq-ejyr-8ba8 |
|