Search for packages
| purl | pkg:maven/org.keycloak/keycloak-core@23.0.6 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-27u9-dnbz-m3cu
Aliases: CVE-2023-6841 GHSA-w97f-w3hq-36g2 |
Keycloak Denial of Service vulnerability A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited, an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values. The issue is fixed in Keycloak 24 with the introduction of the User Profile feature. |
Affected by 6 other vulnerabilities. |
|
VCID-8kwu-hac9-1fhk
Aliases: GHSA-57rh-gr4v-j5f6 |
Duplicate Advisory: Keycloak Uses a Key Past its Expiration Date # Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-xmmm-jw76-q7vg. This link is maintained to preserve external references. # Original Description A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute. A one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid. |
Affected by 0 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-d212-ftxm-23ft
Aliases: GHSA-gmrm-8fx4-66x7 |
Duplicate Advisory: Keycloak: Leak of configured LDAP bind credentials ## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-c25h-c27q-5qpv. This link is maintained to preserve external references. ## Original Description A vulnerability was found in Keycloak. The LDAP testing endpoint allows changing the Connection URL independently without re-entering the currently configured LDAP bind credentials. This flaw allows an attacker with admin access (permission manage-realm) to change the LDAP host URL ("Connection URL") to a machine they control. The Keycloak server will connect to the attacker's host and try to authenticate with the configured credentials, thus leaking them to the attacker. As a consequence, an attacker who has compromised the admin console or compromised a user with sufficient privileges can leak domain credentials and attack the domain. |
Affected by 3 other vulnerabilities. |
|
VCID-mgb1-w1sr-eubj
Aliases: CVE-2024-7260 GHSA-g4gc-rh26-m3p5 |
Keycloak Open Redirect vulnerability An open redirect vulnerability was found in Keycloak. A specially crafted URL can be constructed where the `referrer` and `referrer_uri` parameters are made to trick a user to visit a malicious webpage. A trusted URL can trick users and automation into believing that the URL is safe, when, in fact, it redirects to a malicious server. This issue can result in a victim inadvertently trusting the destination of the redirect, potentially leading to a successful phishing attack or other types of attacks. Once a crafted URL is made, it can be sent to a Keycloak admin via email for example. This will trigger this vulnerability when the user visits the page and clicks the link. A malicious actor can use this to target users they know are Keycloak admins for further attacks. It may also be possible to bypass other domain-related security checks, such as supplying this as a OAuth redirect uri. The malicious actor can further obfuscate the `redirect_uri` using URL encoding, to hide the text of the actual malicious website domain. |
Affected by 0 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-tpuz-5ntc-puc6
Aliases: CVE-2024-7318 GHSA-xmmm-jw76-q7vg |
Keycloaks's One Time Passcode (OTP) is valid longer than expiration timeSeverity A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute. A one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid. |
Affected by 0 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-u2dq-vdqf-jbez
Aliases: CVE-2024-10039 GHSA-93ww-43rr-79v3 |
Keycloak mTLS Authentication Bypass via Reverse Proxy TLS Termination A vulnerability was found in Keycloak. Deployments of Keycloak with a reverse proxy not using pass-through termination of TLS, with mTLS enabled, are affected. This issue may allow an attacker on the local network to authenticate as any user or client that leverages mTLS as the authentication mechanism. |
Affected by 1 other vulnerability. |
|
VCID-xf12-zevt-8qha
Aliases: CVE-2024-4028 GHSA-q4xq-445g-g6ch |
Keycloak allows cross-site scripting (XSS) A vulnerability was found in Keycloak. This issue may allow a privileged attacker to use a malicious payload as the permission while creating items (Resource and Permissions) from the admin console, leading to a stored cross-site scripting (XSS) attack. |
Affected by 0 other vulnerabilities. |
|
VCID-z3nq-navw-h7hq
Aliases: GHSA-3hrr-xwvg-hxvr |
Duplicate Advisory: Keycloak DoS via account lockout # Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-cq42-vhv7-xr7p. This link is maintained to preserve external references. # Original Description A flaw was found in Keycloak. In certain conditions, this issue may allow a remote unauthenticated attacker to block other accounts from logging in. |
Affected by 6 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||