Search for packages
| purl | pkg:maven/org.keycloak/keycloak-core@25.0.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1dhc-42n6-g3h6
Aliases: GHSA-xmmm-jw76-q7vg |
One Time Passcode (OTP) is valid longer than expiration timeSeverity |
Affected by 2 other vulnerabilities. |
|
VCID-4mwd-1qk4-6ya1
Aliases: CVE-2024-4028 GHSA-q4xq-445g-g6ch |
keycloak-core: Stored XSS in Keycloak when creating a items in Admin Console |
Affected by 0 other vulnerabilities. |
|
VCID-da4z-mr8a-hfek
Aliases: CVE-2024-10039 GHSA-93ww-43rr-79v3 |
keycloak-core: mTLS passthrough |
Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-qc8g-byp9-aaaf | keycloak: Leak of configured LDAP bind credentials through the Keycloak admin console |
CVE-2024-5967
GHSA-c25h-c27q-5qpv GHSA-gmrm-8fx4-66x7 |
| VCID-uutq-q387-vfdd | An open redirect vulnerability was found in Keycloak. A specially crafted URL can be constructed where the referrer and referrer_uri parameters are made to trick a user to visit a malicious webpage. A trusted URL can trick users and automation into believing that the URL is safe, when, in fact, it redirects to a malicious server. This issue can result in a victim inadvertently trusting the destination of the redirect, potentially leading to a successful phishing attack or other types of attacks. Once a crafted URL is made, it can be sent to a Keycloak admin via email for example. This will trigger this vulnerability when the user visits the page and clicks the link. A malicious actor can use this to target users they know are Keycloak admins for further attacks. It may also be possible to bypass other domain-related security checks, such as supplying this as a OAuth redirect uri. The malicious actor can further obfuscate the redirect_uri using URL encoding, to hide the text of the actual malicious website domain. |
CVE-2024-7260
GHSA-g4gc-rh26-m3p5 |
| VCID-vbzs-5utm-tyh7 | A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute. A one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid. |
CVE-2024-7318
GHSA-57rh-gr4v-j5f6 |