Search for packages
| purl | pkg:maven/org.keycloak/keycloak-core@19.0.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1d7p-grah-aaam
Aliases: CVE-2023-0105 GHSA-c7xw-p58w-h6fj GHSA-vhvq-jh34-3fc8 |
Keycloak allows impersonation and lockout due to email trust not being handled correctly |
Affected by 16 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-1dhc-42n6-g3h6
Aliases: GHSA-xmmm-jw76-q7vg |
One Time Passcode (OTP) is valid longer than expiration timeSeverity |
Affected by 0 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-2pbx-n1m7-aaad
Aliases: CVE-2024-1722 GHSA-3hrr-xwvg-hxvr |
A flaw was found in Keycloak. In certain conditions, this issue may allow a remote unauthenticated attacker to block other accounts from logging in. |
Affected by 8 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-3vrp-8m8e-aaad
Aliases: GHSA-9vm7-v8wj-3fqw GMS-2024-51 |
keycloak-core: open redirect via "form_post.jwt" JARM response mode |
Affected by 8 other vulnerabilities. |
|
VCID-4kz1-zbkx-aaaq
Aliases: CVE-2023-6134 GHSA-cvg2-7c3j-g36j |
keycloak: reflected XSS via wildcard in OIDC redirect_uri |
Affected by 9 other vulnerabilities. |
|
VCID-4mwd-1qk4-6ya1
Aliases: CVE-2024-4028 GHSA-q4xq-445g-g6ch |
keycloak-core: Stored XSS in Keycloak when creating a items in Admin Console |
Affected by 0 other vulnerabilities. |
|
VCID-6qjb-8vxq-e7be
Aliases: CVE-2023-6841 GHSA-w97f-w3hq-36g2 |
A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited,an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values. |
Affected by 6 other vulnerabilities. |
|
VCID-7qnt-1wwt-aaap
Aliases: CVE-2022-3916 GHSA-97g8-xfvw-q4hg GMS-2022-8406 |
Keycloak vulnerable to session takeover with OIDC offline refreshtokens |
Affected by 17 other vulnerabilities. |
|
VCID-a3d5-nsyp-aaaf
Aliases: CVE-2023-4918 GHSA-5q66-v53q-pm35 |
A flaw was found in the Keycloak package, more specifically org.keycloak.userprofile. When a user registers itself through registration flow, the "password" and "password-confirm" field from the form will occur as regular user attributes. All users and clients with proper rights and roles are able to read users attributes, allowing a malicious user with minimal access to retrieve the users passwords in clear text, jeopardizing their environment. |
Affected by 11 other vulnerabilities. |
|
VCID-bv9z-gxuw-aaas
Aliases: CVE-2022-1274 GHSA-m4fv-gm5m-4725 GMS-2023-528 |
HTML Injection in Keycloak Admin REST API |
Affected by 15 other vulnerabilities. |
|
VCID-da4z-mr8a-hfek
Aliases: CVE-2024-10039 GHSA-93ww-43rr-79v3 |
keycloak-core: mTLS passthrough |
Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-den3-5azw-aaak
Aliases: GHSA-c892-cwq6-qrqf |
Duplicate Advisory: Keycloak vulnerable to untrusted certificate validation |
Affected by 13 other vulnerabilities. |
|
VCID-j1st-uh9t-aaaf
Aliases: GHSA-755v-r4x4-qf7m GMS-2022-7509 |
Stored Cross-Site Scripting (XSS) in Keycloak via groups dropdown |
Affected by 18 other vulnerabilities. |
|
VCID-kfzc-yxas-aaad
Aliases: CVE-2023-6291 GHSA-mpwq-j3xf-7m5w |
The redirect_uri validation logic allows for bypassing explicitly allowed hosts that would otherwise be restricted |
Affected by 9 other vulnerabilities. |
|
VCID-p6db-yjd1-aaak
Aliases: GHSA-w8v7-c7pm-7wfr |
Duplicate Advisory: Keycloak vulnerable to Cross-Site Scripting (XSS) |
Affected by 19 other vulnerabilities. |
|
VCID-p8eu-wjkn-aaas
Aliases: CVE-2021-3754 GHSA-j9xq-j329-2xvg |
CVE-2021-3754 keycloak: allows using email as username |
Affected by 19 other vulnerabilities. |
|
VCID-qc8g-byp9-aaaf
Aliases: CVE-2024-5967 GHSA-c25h-c27q-5qpv GHSA-gmrm-8fx4-66x7 |
keycloak: Leak of configured LDAP bind credentials through the Keycloak admin console |
Affected by 3 other vulnerabilities. |
|
VCID-qwpr-cqmm-aaaa
Aliases: CVE-2023-0091 GHSA-v436-q368-hvgg GMS-2023-37 |
Keycloak has lack of validation of access token on client registrations endpoint |
Affected by 16 other vulnerabilities. |
|
VCID-tee7-t9fw-aaad
Aliases: CVE-2023-1664 GHSA-5cc8-pgp5-7mpm |
A flaw was found in Keycloak. This flaw depends on a non-default configuration "Revalidate Client Certificate" to be enabled and the reverse proxy is not validating the certificate before Keycloak. Using this method an attacker may choose the certificate which will be validated by the server. If this happens and the KC_SPI_TRUSTSTORE_FILE_FILE variable is missing/misconfigured, any trustfile may be accepted with the logging information of "Cannot validate client certificate trust: Truststore not available". This may not impact availability as the attacker would have no access to the server, but consumer applications Integrity or Confidentiality may be impacted considering a possible access to them. Considering the environment is correctly set to use "Revalidate Client Certificate" this flaw is avoidable. |
Affected by 13 other vulnerabilities. |
|
VCID-uutq-q387-vfdd
Aliases: CVE-2024-7260 GHSA-g4gc-rh26-m3p5 |
An open redirect vulnerability was found in Keycloak. A specially crafted URL can be constructed where the referrer and referrer_uri parameters are made to trick a user to visit a malicious webpage. A trusted URL can trick users and automation into believing that the URL is safe, when, in fact, it redirects to a malicious server. This issue can result in a victim inadvertently trusting the destination of the redirect, potentially leading to a successful phishing attack or other types of attacks. Once a crafted URL is made, it can be sent to a Keycloak admin via email for example. This will trigger this vulnerability when the user visits the page and clicks the link. A malicious actor can use this to target users they know are Keycloak admins for further attacks. It may also be possible to bypass other domain-related security checks, such as supplying this as a OAuth redirect uri. The malicious actor can further obfuscate the redirect_uri using URL encoding, to hide the text of the actual malicious website domain. |
Affected by 0 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-vbzs-5utm-tyh7
Aliases: CVE-2024-7318 GHSA-57rh-gr4v-j5f6 |
A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute. A one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid. |
Affected by 0 other vulnerabilities. Affected by 3 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||