Search for packages
| purl | pkg:maven/org.keycloak/keycloak-services@25.0.3 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1azf-tnm3-pyh3
Aliases: GHSA-fx44-2wx5-5fvp |
Duplicate Advisory: Keycloak vulnerable to two factor authentication bypass |
Affected by 0 other vulnerabilities. |
|
VCID-5hrf-cqc3-b7am
Aliases: GHSA-r934-w73g-v4p8 |
Duplicate Advisory: Keycloak hostname verification |
Affected by 0 other vulnerabilities. |
|
VCID-dk7y-hky5-kbey
Aliases: GHSA-rq4w-cjrr-h8w8 |
Duplicate Advisory: Keycloak allows Incorrect Assignment of an Organization to a User # Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-gvgg-2r3r-53x7. This link is maintained to preserve external references. # Original Description A flaw was found in the Keycloak organization feature, which allows the incorrect assignment of an organization to a user if their username or email matches the organization’s domain pattern. This issue occurs at the mapper level, leading to misrepresentation in tokens. If an application relies on these claims for authorization, it may incorrectly assume a user belongs to an organization they are not a member of, potentially granting unauthorized access or privileges. |
Affected by 5 other vulnerabilities. |
|
VCID-e51s-1cpw-qufr
Aliases: CVE-2024-10270 GHSA-wq8x-cg39-8mrr |
org.keycloak:keycloak-services: Keycloak Denial of Service |
Affected by 6 other vulnerabilities. |
|
VCID-f19m-zv2h-9fgu
Aliases: CVE-2024-8883 GHSA-vvf8-2h68-9475 |
Keycloak: Vulnerable Redirect URI Validation Results in Open Redirec |
Affected by 8 other vulnerabilities. |
|
VCID-gm3s-z2z6-wuec
Aliases: CVE-2024-4629 GHSA-8wm9-24qg-m5qj GHSA-gc7q-jgjv-vjr2 |
A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems. |
Affected by 12 other vulnerabilities. |
|
VCID-gpuj-k3g2-cyga
Aliases: GHSA-j3x3-r585-4qhg |
Duplicate Advisory: org.keycloak:keycloak-services has Inefficient Regular Expression Complexity |
Affected by 6 other vulnerabilities. |
|
VCID-scqu-xf9x-3kff
Aliases: GHSA-w8gr-xwp4-r9f7 |
Vulnerable Redirect URI Validation Results in Open Redirect |
Affected by 8 other vulnerabilities. |
|
VCID-ur9z-vd6r-9qcj
Aliases: CVE-2025-2559 GHSA-2935-2wfm-hhpv |
org.keycloak/keycloak-services: JWT Token Cache Exhaustion Leading to Denial of Service (DoS) in Keycloak |
Affected by 4 other vulnerabilities. |
|
VCID-w71m-tyt8-dqby
Aliases: CVE-2025-3501 GHSA-hw58-3793-42gg |
A flaw was found in Keycloak. By setting a verification policy to 'ALL', the trust store certificate verification is skipped, which is unintended. |
Affected by 0 other vulnerabilities. |
|
VCID-wbw4-mn7z-6yey
Aliases: GHSA-5rxp-2rhr-qwqv |
Session fixation in Elytron SAML adapters |
Affected by 10 other vulnerabilities. |
|
VCID-ze83-qhsk-67bh
Aliases: CVE-2025-3910 GHSA-5jfq-x6xp-7rw2 |
A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumventing required actions, allowing users to circumvent requirements such as setting up two-factor authentication. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-ceef-drz5-cfa8 | A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation. |
CVE-2024-7341
GHSA-j76j-rqwj-jmvv |