Search for packages
| purl | pkg:maven/org.keycloak/keycloak-core@1.0-beta-1-20150523 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1hec-prs3-93ae
Aliases: CVE-2019-10170 GHSA-7m27-3587-83xf |
Privilege Defined With Unsafe Actions in Keycloak A flaw was found in the Keycloak admin console, where the realm management interface permits a script to be set via the policy. This flaw allows an attacker with authenticated user and realm management permissions to configure a malicious script to trigger and execute arbitrary code with the permissions of the application user. |
Affected by 38 other vulnerabilities. |
|
VCID-1uvc-jkdm-z3fn
Aliases: CVE-2020-27826 GHSA-m9cj-v55f-8x26 |
Authentication Bypass in keycloak A flaw was found in Keycloak before version 12.0.0 where it is possible to update the user's metadata attributes using Account REST API. This flaw allows an attacker to change its own NameID attribute to impersonate the admin user for any particular application. |
Affected by 29 other vulnerabilities. |
|
VCID-25s7-ksww-6qa2
Aliases: CVE-2019-3868 GHSA-gc52-xj6p-9pxp |
Exposure of Sensitive Information to an Unauthorized Actor in Keycloak Keycloak up to version 6.0.0 allows the end user token (access or id token JWT) to be used as the session cookie for browser sessions for OIDC. As a result an attacker with access to service provider backend could hijack user?s browser session. |
Affected by 45 other vulnerabilities. |
|
VCID-27u9-dnbz-m3cu
Aliases: CVE-2023-6841 GHSA-w97f-w3hq-36g2 |
Keycloak Denial of Service vulnerability A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited, an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values. The issue is fixed in Keycloak 24 with the introduction of the User Profile feature. |
Affected by 6 other vulnerabilities. |
|
VCID-31gq-x8za-3bdz
Aliases: CVE-2020-1725 GHSA-p225-pc2x-4jpm |
Incorrect Authorization in keycloak A flaw was found in keycloak before version 13.0.0. In some scenarios a user still has access to a resource after changing the role mappings in Keycloak and after expiration of the previous access token. |
Affected by 20 other vulnerabilities. |
|
VCID-3dnq-gcve-ufc6
Aliases: CVE-2020-10770 GHSA-jh7q-5mwf-qvhw |
Keycloak vulnerable to Server-Side Request Forgery A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter `request_uri`. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack. |
Affected by 27 other vulnerabilities. Affected by 20 other vulnerabilities. |
|
VCID-4vqy-eayd-gqdq
Aliases: CVE-2016-8629 GHSA-778x-2mqv-w6xw |
Red Hat Keycloak before version 2.4.0 did not correctly check permissions when handling service account user deletion requests sent to the rest server. An attacker with service account authentication could use this flaw to bypass normal permissions and delete users in a separate realm. |
Affected by 54 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-65b2-56z7-hfan
Aliases: CVE-2022-3916 GHSA-97g8-xfvw-q4hg GMS-2022-8406 |
Keycloak vulnerable to session takeover with OIDC offline refreshtokens An issue was discovered in Keycloak when using a client with the `offline_access` scope. Reuse of session ids across root and user authentication sessions and a lack of root session validation enabled attackers to resolve a user session attached to a different previously authenticated user. This issue most affects users of shared computers. Suppose a user logs out of their account (without clearing their cookies) in a mobile app or similar client that includes the `offline_access` scope, and another user authenticates to the application. In that case, it will share the same root session id, and when utilizing the refresh token, they will be issued a token for the original user. |
Affected by 14 other vulnerabilities. |
|
VCID-675z-39ka-s3as
Aliases: CVE-2020-1697 GHSA-8vf3-4w62-m3pq |
XSS in Keycloak It was found in all keycloak versions before 9.0.0 that links to external applications (Application Links) in the admin console are not validated properly and could allow Stored XSS attacks. An authed malicious user could create URLs to trick users in other realms, and possibly conduct further attacks. |
Affected by 36 other vulnerabilities. |
|
VCID-6fd9-kenc-8fhc
Aliases: CVE-2020-10776 GHSA-484q-784p-8m5h |
Cross-site Scripting in keycloak A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack. |
Affected by 29 other vulnerabilities. |
|
VCID-7t4n-1rts-g7cx
Aliases: CVE-2023-6134 GHSA-cvg2-7c3j-g36j |
Keycloak vulnerable to reflected XSS via wildcard in OIDC redirect_uri Keycloak prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This could permit an attacker to submit a specially crafted request leading to XSS or possibly further attacks. |
Affected by 9 other vulnerabilities. |
|
VCID-873b-rjgu-uyf7
Aliases: CVE-2017-12161 GHSA-959q-32g8-vvp7 |
Moderate severity vulnerability that affects org.keycloak:keycloak-core It was found that keycloak before 3.4.2 final would permit misuse of a client-side /etc/hosts entry to spoof a URL in a password reset request. An attacker could use this flaw to craft a malicious password reset request and gain a valid reset token, leading to information disclosure or further attacks. |
Affected by 49 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-8k4c-w1dp-87du
Aliases: CVE-2021-3632 GHSA-qpq9-jpv4-6gwr |
Keycloak allows anyone to register new security device or key for any user by using WebAuthn password-less login flow A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow. |
Affected by 18 other vulnerabilities. |
|
VCID-8kwu-hac9-1fhk
Aliases: GHSA-57rh-gr4v-j5f6 |
Duplicate Advisory: Keycloak Uses a Key Past its Expiration Date # Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-xmmm-jw76-q7vg. This link is maintained to preserve external references. # Original Description A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute. A one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid. |
Affected by 0 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-919t-yfm6-dydu
Aliases: CVE-2023-0091 GHSA-v436-q368-hvgg GMS-2023-37 |
Keycloak has lack of validation of access token on client registrations endpoint When a service account with the create-client or manage-clients role can use the client-registration endpoints to create/manage clients with an access token. If the access token is leaked, there is an option to revoke the specific token. However, the check is not performed in client-registration endpoints. |
Affected by 12 other vulnerabilities. |
|
VCID-9mrp-8k8r-dkcf
Aliases: CVE-2021-3856 GHSA-3w4v-rvc4-2xpw |
Keycloak has Files or Directories Accessible to External Parties ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader. By sending requests for theme resources with a relative path from an external HTTP client, the client will receive the content of random files if available. |
Affected by 18 other vulnerabilities. |
|
VCID-arz8-9ngd-2yce
Aliases: CVE-2018-10894 GHSA-xvv8-8wh9-9fh2 |
Keycloak Authentication Error It was found that SAML authentication in Keycloak 3.4.3.Final incorrectly authenticated expired certificates. A malicious user could use this to access unauthorized data or possibly conduct further attacks. |
Affected by 49 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-awj2-djb5-eye4
Aliases: CVE-2017-1000500 GHSA-qgm9-232x-hwpx |
Moderate severity vulnerability that affects org.keycloak:keycloak-core Withdrawn: Duplicate of CVE-2017-12161 / GHSA-959q-32g8-vvp7 |
Affected by 56 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-b6mp-jcq2-uqbv
Aliases: CVE-2021-20202 GHSA-6xp6-fmc8-pmmr |
Temporary Directory Hijacking Vulnerability in Keycloak A flaw was found in keycloak. Directories can be created prior to the Java process creating them in the temporary directory, but with wider user permissions, allowing the attacker to have access to the contents that keycloak stores in this directory. The highest threat from this vulnerability is to data confidentiality and integrity. |
Affected by 20 other vulnerabilities. |
|
VCID-bb1j-v7vy-kfej
Aliases: CVE-2014-3656 GHSA-px42-mr8m-cpgh |
JBoss KeyCloak Cross-site Scripting Vulnerability If a JBoss Keycloak application was configured to use `*` as a permitted web origin in the Keycloak administrative console, crafted requests to the `login-status-iframe.html` endpoint could inject arbitrary Javascript into the generated HTML code via the "origin" query parameter, leading to a cross-site scripting (XSS) vulnerability. |
Affected by 57 other vulnerabilities. |
|
VCID-c3gj-w7y1-d3dm
Aliases: CVE-2022-1466 GHSA-f32v-vf79-p29q |
Improper authorization in Keycloak Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted. |
Affected by 15 other vulnerabilities. |
|
VCID-cnju-ee9e-d3c1
Aliases: CVE-2019-10201 GHSA-4fgq-gq9g-3rw7 |
Improper Verification of Cryptographic Signature in keycloak It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. If an attacker modifies the SAML Response and removes the <Signature> sections, the message is still accepted, and the message can be modified. An attacker could use this flaw to impersonate other users and gain access to sensitive information. |
Affected by 42 other vulnerabilities. |
|
VCID-cp6h-pgxj-4fck
Aliases: CVE-2019-14820 GHSA-xfqh-7356-vqjj |
Exposure of Sensitive Information to an Unauthorized Actor in Keycloak It was found that keycloak before version 8.0.0 exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be invoked via a specially-crafted URL. This vulnerability could allow an attacker to access unauthorized information. |
Affected by 38 other vulnerabilities. |
|
VCID-d212-ftxm-23ft
Aliases: GHSA-gmrm-8fx4-66x7 |
Duplicate Advisory: Keycloak: Leak of configured LDAP bind credentials ## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-c25h-c27q-5qpv. This link is maintained to preserve external references. ## Original Description A vulnerability was found in Keycloak. The LDAP testing endpoint allows changing the Connection URL independently without re-entering the currently configured LDAP bind credentials. This flaw allows an attacker with admin access (permission manage-realm) to change the LDAP host URL ("Connection URL") to a machine they control. The Keycloak server will connect to the attacker's host and try to authenticate with the configured credentials, thus leaking them to the attacker. As a consequence, an attacker who has compromised the admin console or compromised a user with sufficient privileges can leak domain credentials and attack the domain. |
Affected by 3 other vulnerabilities. |
|
VCID-e3ff-n9zd-u7fm
Aliases: CVE-2020-1724 GHSA-8xj2-47xw-q78c |
Keycloak Insufficient Session Expiry A flaw was found in Keycloak in versions before 9.0.2. This flaw allows a malicious user that is currently logged in, to see the personal information of a previously logged out user in the account manager section. |
Affected by 34 other vulnerabilities. |
|
VCID-e8kx-9sx3-dkc8
Aliases: CVE-2018-10912 GHSA-h7j7-pw3v-3v3x |
Moderate severity vulnerability that affects org.keycloak:keycloak-core keycloak before version 4.0.0.final is vulnerable to a infinite loop in session replacement. A Keycloak cluster with multiple nodes could mishandle an expired session replacement and lead to an infinite loop. A malicious authenticated user could use this flaw to achieve Denial of Service on the server. |
Affected by 48 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-e8vg-dt2k-a3f1
Aliases: CVE-2018-14637 GHSA-gf2j-7qwg-4f5x |
The SAML broker consumer endpoint in Keycloak before version 4.6.0.Final ignores expiration conditions on SAML assertions. An attacker can exploit this vulnerability to perform a replay attack. |
Affected by 46 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-er4b-335e-xydr
Aliases: CVE-2017-2582 GHSA-c77r-6f64-478q |
keycloak-core discloses system properties It was found that while parsing the SAML messages the StaxParserUtil class of keycloak before 2.5.1 replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the "InResponseTo" field in the response. |
Affected by 52 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-f7ys-kjgb-nyg5
Aliases: CVE-2020-1758 GHSA-c597-f74m-jgc2 |
Improper Certificate Validation and Improper Validation of Certificate with Host Mismatch in Keycloak A flaw was found in Keycloak in versions before 10.0.0, where it does not perform the TLS hostname verification while sending emails using the SMTP server. This flaw allows an attacker to perform a man-in-the-middle (MITM) attack. |
Affected by 32 other vulnerabilities. |
|
VCID-fkbv-nmgv-q7eh
Aliases: CVE-2021-20195 GHSA-q6w2-89hq-hq27 |
keycloak Self Stored Cross-site Scripting vulnerability A flaw was found in keycloak in versions before 13.0.0. A Self Stored XSS attack vector escalating to a complete account takeover is possible due to user-supplied data fields not being properly encoded and Javascript code being used to process the data. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. |
Affected by 26 other vulnerabilities. Affected by 20 other vulnerabilities. |
|
VCID-gyrk-cxkp-uyh8
Aliases: CVE-2021-3513 GHSA-xv7h-95r7-595j |
Incorrect implementation of lockout feature in Keycloak A flaw was found in keycloak where a brute force attack is possible even when the permanent lockout feature is enabled. This is due to a wrong error message displayed when wrong credentials are entered. The highest threat from this vulnerability is to confidentiality. |
Affected by 20 other vulnerabilities. |
|
VCID-hak7-6v8b-huan
Aliases: CVE-2022-0225 GHSA-fqc7-5xxc-ph7r |
Keycloak XSS via use of malicious payload as group name when creating new group from admin console A flaw was found in Keycloak. This flaw allows a privileged attacker to use the malicious payload as the group name while creating a new group from the admin console, leading to a stored Cross-site scripting (XSS) attack. |
Affected by 17 other vulnerabilities. |
|
VCID-jaaf-83vf-ekdm
Aliases: GHSA-755v-r4x4-qf7m GMS-2022-7509 |
Stored Cross-Site Scripting (XSS) in Keycloak via groups dropdown ### Summary A Stored XSS vulnerability was reported in the Keycloak Security mailing list, affecting all the versions of Keycloak, including the latest release (16.0.1). The vulnerability allows a privileged attacker to execute malicious scripts in the admin console, abusing of the groups' dropdown functionality. ### Impact Successful attacks of this vulnerability can result a privileged attacker to load a XSS script, and steal data from other users. The impact can be considered moderate to low, considering privileged credentials are required. ### References - Please refer to the Keycloak Security mailing list for more information. |
Affected by 14 other vulnerabilities. |
|
VCID-jxqa-barm-1kbg
Aliases: CVE-2014-3651 GHSA-r32r-3977-cgc3 |
Keycloak vulnerable to uncontrolled resource consumption JBoss KeyCloak versions prior to 1.0.3.Final allow remote attackers to create a denial of service (resource consumption) by supplying a large value in the size parameter to auth/qrcode, related to QR code generation. |
Affected by 0 other vulnerabilities. Affected by 58 other vulnerabilities. |
|
VCID-k4gc-uaw5-gyer
Aliases: CVE-2020-1728 GHSA-3gg7-9q2x-79fc |
Improper Restriction of Rendered UI Layers or Frames in Keycloak A vulnerability was found in all versions of Keycloak where, the pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses. This does not directly lead to a security issue, yet it might aid attackers in their efforts to exploit other problems. The flaws unnecessarily make the servers more prone to Clickjacking, channel downgrade attacks and other similar client-based attack vectors. |
Affected by 32 other vulnerabilities. |
|
VCID-m2sg-bxzt-d3g7
Aliases: CVE-2020-1744 GHSA-4gf2-xv97-63m2 |
Exposure of Sensitive Information in keycloak A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle this events. |
Affected by 1 other vulnerability. Affected by 34 other vulnerabilities. |
|
VCID-m7sr-ms58-4uhh
Aliases: CVE-2020-1714 GHSA-m6mm-q862-j366 |
Improper Input Validation in Keycloak A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution. |
Affected by 31 other vulnerabilities. |
|
VCID-m9nn-mnr2-2qbq
Aliases: CVE-2020-27838 GHSA-pcv5-m2wh-66j3 |
Keycloak discloses information without authentication A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this vulnerability is to data confidentiality. |
Affected by 20 other vulnerabilities. |
|
VCID-madv-hm8a-dfbq
Aliases: CVE-2019-10199 GHSA-p5xp-6vpf-jwvh |
Improper Input Validation and Cross-Site Request Forgery in Keycloak It was found that Keycloak's account console, up to 6.0.1, did not perform adequate header checks in some requests. An attacker could use this flaw to trick an authenticated user into performing operations via request from an untrusted domain. |
Affected by 42 other vulnerabilities. |
|
VCID-mgb1-w1sr-eubj
Aliases: CVE-2024-7260 GHSA-g4gc-rh26-m3p5 |
Keycloak Open Redirect vulnerability An open redirect vulnerability was found in Keycloak. A specially crafted URL can be constructed where the `referrer` and `referrer_uri` parameters are made to trick a user to visit a malicious webpage. A trusted URL can trick users and automation into believing that the URL is safe, when, in fact, it redirects to a malicious server. This issue can result in a victim inadvertently trusting the destination of the redirect, potentially leading to a successful phishing attack or other types of attacks. Once a crafted URL is made, it can be sent to a Keycloak admin via email for example. This will trigger this vulnerability when the user visits the page and clicks the link. A malicious actor can use this to target users they know are Keycloak admins for further attacks. It may also be possible to bypass other domain-related security checks, such as supplying this as a OAuth redirect uri. The malicious actor can further obfuscate the `redirect_uri` using URL encoding, to hide the text of the actual malicious website domain. |
Affected by 0 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-pqv8-9md7-ykg2
Aliases: CVE-2019-3875 GHSA-38cg-gg9j-q9j9 |
Improper Certificate Validation and Insufficient Verification of Data Authenticity in Keycloak A vulnerability was found in keycloak before 6.0.2. The X.509 authenticator supports the verification of client certificates through the CRL, where the CRL list can be obtained from the URL provided in the certificate itself (CDP) or through the separately configured path. The CRL are often available over the network through unsecured protocols ('http' or 'ldap') and hence the caller should verify the signature and possibly the certification path. Keycloak currently doesn't validate signatures on CRL, which can result in a possibility of various attacks like man-in-the-middle. |
Affected by 42 other vulnerabilities. |
|
VCID-rbk3-3kp9-dfh7
Aliases: CVE-2020-1698 GHSA-qgmm-f2qw-r95f |
Keycloak leaks sensitive information in logged exceptions A flaw was found in keycloak in versions before 9.0.0. A logged exception in the HttpMethod class may leak the password given as parameter. The highest threat from this vulnerability is to data confidentiality. |
Affected by 36 other vulnerabilities. |
|
VCID-rejf-mj3m-pqg6
Aliases: CVE-2020-35509 GHSA-rpj2-w6fr-79hc |
Keycloak vulnerable to Improper Certificate Validation keycloak accepts an expired certificate by the direct-grant authenticator because of missing time stamp validations. The highest threat from this vulnerability is to data confidentiality and integrity. This issue was partially fixed in version [13.0.1](https://github.com/keycloak/keycloak/pull/6330) and more completely fixed in version [14.0.0](https://github.com/keycloak/keycloak/pull/8067). |
Affected by 19 other vulnerabilities. |
|
VCID-sx3k-7dn2-eyag
Aliases: CVE-2023-6927 GHSA-9vm7-v8wj-3fqw GMS-2024-51 |
keycloak-core: open redirect via "form_post.jwt" JARM response mode An incomplete fix was found in Keycloak Core patch. An attacker can steal authorization codes or tokens from clients using a wildcard in the JARM response mode "form_post.jwt". It is observed that changing the response_mode parameter in the original proof of concept from "form_post" to "form_post.jwt" can bypass the security patch implemented to address CVE-2023-6134. |
Affected by 8 other vulnerabilities. |
|
VCID-tab1-5msc-nfh5
Aliases: CVE-2020-1718 GHSA-j229-2h63-rvh9 |
Improper Authentication for Keycloak A flaw was found in the reset credential flow in all Keycloak versions before 8.0.0. This flaw allows an attacker to gain unauthorized access to the application. |
Affected by 38 other vulnerabilities. |
|
VCID-tet4-5q54-wfgq
Aliases: CVE-2020-1731 GHSA-6pmv-7pr9-cgrj |
Predictable password in Keycloak A flaw was found in all versions of the Keycloak operator, before version 8.0.2,(community only) where the operator generates a random admin password when installing Keycloak, however the password remains the same when deployed to the same OpenShift namespace. |
Affected by 37 other vulnerabilities. |
|
VCID-tpuz-5ntc-puc6
Aliases: CVE-2024-7318 GHSA-xmmm-jw76-q7vg |
Keycloaks's One Time Passcode (OTP) is valid longer than expiration timeSeverity A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute. A one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid. |
Affected by 0 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-u1hf-aqn4-9ufd
Aliases: CVE-2017-2585 GHSA-w6gv-3r3v-gwgj |
keycloak-core vulnerable to timing attacks against JWS token verification Red Hat Keycloak before version 2.5.1 has an implementation of HMAC verification for JWS tokens that uses a method that runs in non-constant time, potentially leaving the application vulnerable to timing attacks. |
Affected by 52 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-u2dq-vdqf-jbez
Aliases: CVE-2024-10039 GHSA-93ww-43rr-79v3 |
Keycloak mTLS Authentication Bypass via Reverse Proxy TLS Termination A vulnerability was found in Keycloak. Deployments of Keycloak with a reverse proxy not using pass-through termination of TLS, with mTLS enabled, are affected. This issue may allow an attacker on the local network to authenticate as any user or client that leverages mTLS as the authentication mechanism. |
Affected by 1 other vulnerability. |
|
VCID-u3ew-2n93-2fbe
Aliases: CVE-2016-8609 GHSA-95m6-mjh3-58gm |
Improper Authentication in org.keycloak:keycloak-core It was found that the keycloak before 2.3.0 did not implement authentication flow correctly. An attacker could use this flaw to construct a phishing URL, from which he could hijack the user's session. This could lead to information disclosure, or permit further possible attacks. |
Affected by 0 other vulnerabilities. Affected by 55 other vulnerabilities. |
|
VCID-ukmt-zg1j-97fq
Aliases: CVE-2022-1274 GHSA-m4fv-gm5m-4725 GMS-2023-528 |
HTML Injection in Keycloak Admin REST API The `execute-actions-email` endpoint of the Keycloak Admin REST API allows a malicious actor to send emails containing phishing links to Keycloak users. |
Affected by 11 other vulnerabilities. |
|
VCID-xamp-qeqk-3qc1
Aliases: CVE-2020-14302 |
keycloak: reusable "state" parameter at redirect_uri endpoint enables possibility of replay attacks |
Affected by 20 other vulnerabilities. |
|
VCID-xf12-zevt-8qha
Aliases: CVE-2024-4028 GHSA-q4xq-445g-g6ch |
Keycloak allows cross-site scripting (XSS) A vulnerability was found in Keycloak. This issue may allow a privileged attacker to use a malicious payload as the permission while creating items (Resource and Permissions) from the admin console, leading to a stored cross-site scripting (XSS) attack. |
Affected by 0 other vulnerabilities. |
|
VCID-xjby-9929-kyed
Aliases: CVE-2020-14389 GHSA-c9x9-xv66-xp3v |
Improper privilege management in Keycloak A flaw was found in Keycloak, where it would permit a user with a view-profile role to manage the resources in the new account console. This flaw allows a user with a view-profile role to access and modify data for which the user does not have adequate permission. |
Affected by 29 other vulnerabilities. |
|
VCID-xkj3-qbz7-x7fy
Aliases: CVE-2019-14837 GHSA-cf8f-w2c5-p5jr |
keycloak vulnerable to unauthorized login via mail server setup A flaw was found in keycloack before version 8.0.0. The owner of 'placeholder.org' domain can setup mail server on this domain and knowing only name of a client can reset password and then log in. For example, for client name 'test' the email address will be 'service-account-test@placeholder.org'. |
Affected by 38 other vulnerabilities. |
|
VCID-ynan-6bh4-cfhq
Aliases: CVE-2023-6291 GHSA-mpwq-j3xf-7m5w |
The redirect_uri validation logic allows for bypassing explicitly allowed hosts that would otherwise be restricted An issue was found in the redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts. The problem arises in the verifyRedirectUri method, which attempts to enforce rules on user-controllable input, but essentially causes a desynchronization in how Keycloak and browsers interpret URLs. Keycloak, for example, receives "[www%2ekeycloak%2eorg%2fapp%2f:y@example.com](https://www%2ekeycloak%2eorg%2fapp%2f:y@example.com/)" and thinks the authority to be keycloak.org when it is actually example.com. This happens because the validation logic is performed on a URL decoded version, which no longer represents the original input. ### Acknowledgements Karel Knibbe |
Affected by 9 other vulnerabilities. |
|
VCID-z3nq-navw-h7hq
Aliases: GHSA-3hrr-xwvg-hxvr |
Duplicate Advisory: Keycloak DoS via account lockout # Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-cq42-vhv7-xr7p. This link is maintained to preserve external references. # Original Description A flaw was found in Keycloak. In certain conditions, this issue may allow a remote unauthenticated attacker to block other accounts from logging in. |
Affected by 6 other vulnerabilities. |
|
VCID-z84u-usj4-1baj
Aliases: CVE-2018-14658 GHSA-3qh2-mccc-q5m6 |
A flaw was found in JBOSS Keycloak 3.2.1.Final. The Redirect URL for both Login and Logout are not normalized in org.keycloak.protocol.oidc.utils.RedirectUtils before the redirect url is verified. This can lead to an Open Redirection attack |
Affected by 50 other vulnerabilities. |
|
VCID-zhjj-b47v-h3e7
Aliases: CVE-2017-2646 GHSA-jc6q-27mw-p55w |
Keycloak vulnerable to infinite loop based Denial of Service When Keycloak versions prior to 2.5.5 receive a Logout request with an Extensions in the middle of the request, the SAMLSloRequestParser.parse() method ends in an infinite loop. An attacker could use this flaw to conduct denial of service attacks. |
Affected by 0 other vulnerabilities. Affected by 51 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||