Search for packages
| purl | pkg:maven/org.keycloak/keycloak-services@24.0.4 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1azf-tnm3-pyh3
Aliases: GHSA-fx44-2wx5-5fvp |
Duplicate Advisory: Keycloak vulnerable to two factor authentication bypass |
Affected by 0 other vulnerabilities. |
|
VCID-2u3y-y6mn-aaac
Aliases: GHSA-69fp-7c8p-crjr |
Keycloak exposes sensitive information in Pushed Authorization Requests (PAR) A flaw was found in Keycloak in the OAuth 2.0 Pushed Authorization Requests (PAR). Client provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization server's HTTP response to a request_uri authorization request. This could lead to an information disclosure vulnerability. |
Affected by 13 other vulnerabilities. |
|
VCID-5hrf-cqc3-b7am
Aliases: GHSA-r934-w73g-v4p8 |
Duplicate Advisory: Keycloak hostname verification |
Affected by 0 other vulnerabilities. |
|
VCID-6y2h-e36u-aaak
Aliases: CVE-2024-3656 GHSA-2cww-fgmg-4jqc |
Keycloak's admin API allows low privilege users to use administrative functions Users with low privileges (just plain users in the realm) are able to utilize administrative functionalities within Keycloak admin interface. This issue presents a significant security risk as it allows unauthorized users to perform actions reserved for administrators, potentially leading to data breaches or system compromise. **Acknowledgements:** Special thanks to Maurizio Agazzini for reporting this issue and helping us improve our project. |
Affected by 13 other vulnerabilities. |
|
VCID-ceef-drz5-cfa8
Aliases: CVE-2024-7341 GHSA-j76j-rqwj-jmvv |
A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation. |
Affected by 1 other vulnerability. Affected by 12 other vulnerabilities. Affected by 10 other vulnerabilities. |
|
VCID-dk7y-hky5-kbey
Aliases: GHSA-rq4w-cjrr-h8w8 |
Duplicate Advisory: Keycloak allows Incorrect Assignment of an Organization to a User # Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-gvgg-2r3r-53x7. This link is maintained to preserve external references. # Original Description A flaw was found in the Keycloak organization feature, which allows the incorrect assignment of an organization to a user if their username or email matches the organization’s domain pattern. This issue occurs at the mapper level, leading to misrepresentation in tokens. If an application relies on these claims for authorization, it may incorrectly assume a user belongs to an organization they are not a member of, potentially granting unauthorized access or privileges. |
Affected by 5 other vulnerabilities. |
|
VCID-e51s-1cpw-qufr
Aliases: CVE-2024-10270 GHSA-wq8x-cg39-8mrr |
org.keycloak:keycloak-services: Keycloak Denial of Service |
Affected by 0 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-f19m-zv2h-9fgu
Aliases: CVE-2024-8883 GHSA-vvf8-2h68-9475 |
Keycloak: Vulnerable Redirect URI Validation Results in Open Redirec |
Affected by 8 other vulnerabilities. |
|
VCID-gm3s-z2z6-wuec
Aliases: CVE-2024-4629 GHSA-8wm9-24qg-m5qj GHSA-gc7q-jgjv-vjr2 |
A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems. |
Affected by 1 other vulnerability. Affected by 12 other vulnerabilities. |
|
VCID-gpuj-k3g2-cyga
Aliases: GHSA-j3x3-r585-4qhg |
Duplicate Advisory: org.keycloak:keycloak-services has Inefficient Regular Expression Complexity |
Affected by 0 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-pgg6-jps5-aaam
Aliases: GHSA-4vrx-8phj-x3mg |
Duplicate Advisory: Keycloak exposes sensitive information in Pushed Authorization Requests (PAR) ## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-69fp-7c8p-crjr. This link is maintained to preserve external references. ## Original Description A flaw was found in Keycloak in OAuth 2.0 Pushed Authorization Requests (PAR). Client-provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization server's HTTP response to a `request_uri` authorization request, possibly leading to an information disclosure vulnerability. |
Affected by 13 other vulnerabilities. |
|
VCID-scqu-xf9x-3kff
Aliases: GHSA-w8gr-xwp4-r9f7 |
Vulnerable Redirect URI Validation Results in Open Redirect |
Affected by 0 other vulnerabilities. Affected by 8 other vulnerabilities. |
|
VCID-ur9z-vd6r-9qcj
Aliases: CVE-2025-2559 GHSA-2935-2wfm-hhpv |
org.keycloak/keycloak-services: JWT Token Cache Exhaustion Leading to Denial of Service (DoS) in Keycloak |
Affected by 4 other vulnerabilities. |
|
VCID-w71m-tyt8-dqby
Aliases: CVE-2025-3501 GHSA-hw58-3793-42gg |
A flaw was found in Keycloak. By setting a verification policy to 'ALL', the trust store certificate verification is skipped, which is unintended. |
Affected by 0 other vulnerabilities. |
|
VCID-wbw4-mn7z-6yey
Aliases: GHSA-5rxp-2rhr-qwqv |
Session fixation in Elytron SAML adapters |
Affected by 1 other vulnerability. Affected by 10 other vulnerabilities. |
|
VCID-ze83-qhsk-67bh
Aliases: CVE-2025-3910 GHSA-5jfq-x6xp-7rw2 |
A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumventing required actions, allowing users to circumvent requirements such as setting up two-factor authentication. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-gm3s-z2z6-wuec | A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems. |
CVE-2024-4629
GHSA-8wm9-24qg-m5qj GHSA-gc7q-jgjv-vjr2 |