Search for packages
| purl | pkg:maven/org.keycloak/keycloak-services@24.0.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1azf-tnm3-pyh3
Aliases: GHSA-fx44-2wx5-5fvp |
Duplicate Advisory: Keycloak vulnerable to two factor authentication bypass |
Affected by 0 other vulnerabilities. |
|
VCID-25gj-djgm-aaak
Aliases: CVE-2023-3597 GHSA-4f53-xh3v-g8x4 |
Keycloak secondary factor bypass in step-up authentication |
Affected by 16 other vulnerabilities. |
|
VCID-28mx-tym1-aaaf
Aliases: CVE-2023-6787 GHSA-c9h6-v78w-52wj |
Keycloak vulnerable to session hijacking via re-authentication |
Affected by 16 other vulnerabilities. |
|
VCID-2u3y-y6mn-aaac
Aliases: GHSA-69fp-7c8p-crjr |
Keycloak exposes sensitive information in Pushed Authorization Requests (PAR) A flaw was found in Keycloak in the OAuth 2.0 Pushed Authorization Requests (PAR). Client provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization server's HTTP response to a request_uri authorization request. This could lead to an information disclosure vulnerability. |
Affected by 13 other vulnerabilities. |
|
VCID-5hrf-cqc3-b7am
Aliases: GHSA-r934-w73g-v4p8 |
Duplicate Advisory: Keycloak hostname verification |
Affected by 0 other vulnerabilities. |
|
VCID-5skn-shbk-aaaj
Aliases: CVE-2024-2419 GHSA-mrv8-pqfj-7gp5 |
A flaw was found in Keycloak's redirect_uri validation logic. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to the theft of an access token, making it possible for the attacker to impersonate other users. It is very similar to CVE-2023-6291. |
Affected by 16 other vulnerabilities. |
|
VCID-6y2h-e36u-aaak
Aliases: CVE-2024-3656 GHSA-2cww-fgmg-4jqc |
Keycloak's admin API allows low privilege users to use administrative functions Users with low privileges (just plain users in the realm) are able to utilize administrative functionalities within Keycloak admin interface. This issue presents a significant security risk as it allows unauthorized users to perform actions reserved for administrators, potentially leading to data breaches or system compromise. **Acknowledgements:** Special thanks to Maurizio Agazzini for reporting this issue and helping us improve our project. |
Affected by 13 other vulnerabilities. |
|
VCID-ceef-drz5-cfa8
Aliases: CVE-2024-7341 GHSA-j76j-rqwj-jmvv |
A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation. |
Affected by 1 other vulnerability. Affected by 12 other vulnerabilities. Affected by 10 other vulnerabilities. |
|
VCID-dk7y-hky5-kbey
Aliases: GHSA-rq4w-cjrr-h8w8 |
Duplicate Advisory: Keycloak allows Incorrect Assignment of an Organization to a User # Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-gvgg-2r3r-53x7. This link is maintained to preserve external references. # Original Description A flaw was found in the Keycloak organization feature, which allows the incorrect assignment of an organization to a user if their username or email matches the organization’s domain pattern. This issue occurs at the mapper level, leading to misrepresentation in tokens. If an application relies on these claims for authorization, it may incorrectly assume a user belongs to an organization they are not a member of, potentially granting unauthorized access or privileges. |
Affected by 5 other vulnerabilities. |
|
VCID-e51s-1cpw-qufr
Aliases: CVE-2024-10270 GHSA-wq8x-cg39-8mrr |
org.keycloak:keycloak-services: Keycloak Denial of Service |
Affected by 0 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-f19m-zv2h-9fgu
Aliases: CVE-2024-8883 GHSA-vvf8-2h68-9475 |
Keycloak: Vulnerable Redirect URI Validation Results in Open Redirec |
Affected by 8 other vulnerabilities. |
|
VCID-gm3s-z2z6-wuec
Aliases: CVE-2024-4629 GHSA-8wm9-24qg-m5qj GHSA-gc7q-jgjv-vjr2 |
A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems. |
Affected by 16 other vulnerabilities. Affected by 1 other vulnerability. Affected by 12 other vulnerabilities. |
|
VCID-gpuj-k3g2-cyga
Aliases: GHSA-j3x3-r585-4qhg |
Duplicate Advisory: org.keycloak:keycloak-services has Inefficient Regular Expression Complexity |
Affected by 0 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-hd63-wdye-aaan
Aliases: GHSA-4vc8-pg5c-vg4x |
Keycloak's improper input validation allows using email as username Keycloak allows the use of email as a username and doesn't check that an account with this email already exists. That could lead to the unability to reset/login with email for the user. This is caused by usernames being evaluated before emails. |
Affected by 24 other vulnerabilities. |
|
VCID-k2pw-c83c-aaaj
Aliases: CVE-2023-6544 GHSA-46c8-635v-68r2 |
Keycloak Authorization Bypass vulnerability |
Affected by 16 other vulnerabilities. |
|
VCID-kwe5-xg4b-aaak
Aliases: CVE-2023-0657 GHSA-7fpj-9hr8-28vh |
Keycloak vulnerable to impersonation via logout token exchange |
Affected by 16 other vulnerabilities. |
|
VCID-pgg6-jps5-aaam
Aliases: GHSA-4vrx-8phj-x3mg |
Duplicate Advisory: Keycloak exposes sensitive information in Pushed Authorization Requests (PAR) ## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-69fp-7c8p-crjr. This link is maintained to preserve external references. ## Original Description A flaw was found in Keycloak in OAuth 2.0 Pushed Authorization Requests (PAR). Client-provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization server's HTTP response to a `request_uri` authorization request, possibly leading to an information disclosure vulnerability. |
Affected by 13 other vulnerabilities. |
|
VCID-scqu-xf9x-3kff
Aliases: GHSA-w8gr-xwp4-r9f7 |
Vulnerable Redirect URI Validation Results in Open Redirect |
Affected by 0 other vulnerabilities. Affected by 8 other vulnerabilities. |
|
VCID-ubt4-nmw3-aaap
Aliases: CVE-2024-1132 GHSA-72vp-xfrc-42xm |
A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field, and requires user interaction within the malicious URL. |
Affected by 16 other vulnerabilities. |
|
VCID-ur9z-vd6r-9qcj
Aliases: CVE-2025-2559 GHSA-2935-2wfm-hhpv |
org.keycloak/keycloak-services: JWT Token Cache Exhaustion Leading to Denial of Service (DoS) in Keycloak |
Affected by 4 other vulnerabilities. |
|
VCID-w71m-tyt8-dqby
Aliases: CVE-2025-3501 GHSA-hw58-3793-42gg |
A flaw was found in Keycloak. By setting a verification policy to 'ALL', the trust store certificate verification is skipped, which is unintended. |
Affected by 0 other vulnerabilities. |
|
VCID-wbw4-mn7z-6yey
Aliases: GHSA-5rxp-2rhr-qwqv |
Session fixation in Elytron SAML adapters |
Affected by 1 other vulnerability. Affected by 10 other vulnerabilities. |
|
VCID-yej1-gv6v-aaaa
Aliases: CVE-2024-1249 GHSA-m6q9-p373-g5q8 |
A flaw was found in Keycloak's OIDC component in the "checkLoginIframe," which allows unvalidated cross-origin messages. This flaw allows attackers to coordinate and send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin validation for incoming messages. |
Affected by 16 other vulnerabilities. |
|
VCID-yj6d-cyq5-aaaj
Aliases: CVE-2023-6717 GHSA-8rmm-gm28-pj8q |
Keycloak Cross-site Scripting (XSS) via assertion consumer service URL in SAML POST-binding flow |
Affected by 16 other vulnerabilities. |
|
VCID-ze83-qhsk-67bh
Aliases: CVE-2025-3910 GHSA-5jfq-x6xp-7rw2 |
A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumventing required actions, allowing users to circumvent requirements such as setting up two-factor authentication. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-7vmf-dh8n-aaaq | Keycloak Denial of Service via account lockout In any realm set with "User (Self) registration" a user that is registered with a username in email format can be "locked out" (denied from logging in) using his username. |
GHSA-cq42-vhv7-xr7p
|