Search for packages
| purl | pkg:maven/org.keycloak/keycloak-core@3.1.0.CR1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1d7p-grah-aaam
Aliases: CVE-2023-0105 GHSA-c7xw-p58w-h6fj GHSA-vhvq-jh34-3fc8 |
Keycloak allows impersonation and lockout due to email trust not being handled correctly |
Affected by 16 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-1dhc-42n6-g3h6
Aliases: GHSA-xmmm-jw76-q7vg |
One Time Passcode (OTP) is valid longer than expiration timeSeverity |
Affected by 0 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-23ms-gvbw-aaae
Aliases: CVE-2021-3856 GHSA-3w4v-rvc4-2xpw |
CVE-2021-3856 keycloak-services: ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader |
Affected by 24 other vulnerabilities. |
|
VCID-2pbx-n1m7-aaad
Aliases: CVE-2024-1722 GHSA-3hrr-xwvg-hxvr |
A flaw was found in Keycloak. In certain conditions, this issue may allow a remote unauthenticated attacker to block other accounts from logging in. |
Affected by 8 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-34qq-mtaq-aaap
Aliases: CVE-2019-3868 GHSA-gc52-xj6p-9pxp |
Exposure of Sensitive Information to an Unauthorized Actor in Keycloak |
Affected by 53 other vulnerabilities. |
|
VCID-3vrp-8m8e-aaad
Aliases: GHSA-9vm7-v8wj-3fqw GMS-2024-51 |
keycloak-core: open redirect via "form_post.jwt" JARM response mode |
Affected by 8 other vulnerabilities. |
|
VCID-4kz1-zbkx-aaaq
Aliases: CVE-2023-6134 GHSA-cvg2-7c3j-g36j |
keycloak: reflected XSS via wildcard in OIDC redirect_uri |
Affected by 9 other vulnerabilities. |
|
VCID-4mwd-1qk4-6ya1
Aliases: CVE-2024-4028 GHSA-q4xq-445g-g6ch |
keycloak-core: Stored XSS in Keycloak when creating a items in Admin Console |
Affected by 0 other vulnerabilities. |
|
VCID-5upe-kfg1-aaag
Aliases: CVE-2020-1758 GHSA-c597-f74m-jgc2 |
Improper Certificate Validation and Improper Validation of Certificate with Host Mismatch in Keycloak |
Affected by 39 other vulnerabilities. |
|
VCID-5v5t-uhz9-aaaq
Aliases: CVE-2020-10686 GHSA-9695-w6h2-jpv9 |
Incorrect Authorization A flaw was found in Keycloak where a malicious user registers as oneself. The attacker could then use the remove devices form to post different credential IDs and possibly remove MFA devices for other users. |
Affected by 41 other vulnerabilities. |
|
VCID-5yyq-kxcg-aaas
Aliases: CVE-2020-27838 GHSA-pcv5-m2wh-66j3 |
Improper Authentication A flaw was found in keycloak The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this vulnerability is to data confidentiality. |
Affected by 26 other vulnerabilities. |
|
VCID-6nqn-fym4-aaaq
Aliases: CVE-2020-1697 GHSA-8vf3-4w62-m3pq |
XSS in Keycloak |
Affected by 44 other vulnerabilities. |
|
VCID-6qjb-8vxq-e7be
Aliases: CVE-2023-6841 GHSA-w97f-w3hq-36g2 |
A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited,an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values. |
Affected by 6 other vulnerabilities. |
|
VCID-7ht9-272k-aaaf
Aliases: CVE-2020-1728 GHSA-3gg7-9q2x-79fc |
Improper Restriction of Rendered UI Layers or Frames in Keycloak |
Affected by 39 other vulnerabilities. |
|
VCID-7qnt-1wwt-aaap
Aliases: CVE-2022-3916 GHSA-97g8-xfvw-q4hg GMS-2022-8406 |
Keycloak vulnerable to session takeover with OIDC offline refreshtokens |
Affected by 17 other vulnerabilities. |
|
VCID-83x1-g189-aaae
Aliases: CVE-2022-0225 GHSA-fqc7-5xxc-ph7r |
CVE-2022-0225 keycloak: Stored XSS in groups dropdown |
Affected by 23 other vulnerabilities. |
|
VCID-9h9c-t5xe-aaah
Aliases: CVE-2018-14658 GHSA-3qh2-mccc-q5m6 |
URL Redirection to Untrusted Site (Open Redirect) The Redirect URL for both Login and Logout are not normalized in `org.keycloak.protocol.oidc.utils.RedirectUtils` before the redirect url is verified. This can lead to an Open Redirection attack. |
Affected by 58 other vulnerabilities. |
|
VCID-a37b-qrj9-aaaf
Aliases: CVE-2020-1714 GHSA-m6mm-q862-j366 |
Improper Input Validation in Keycloak |
Affected by 38 other vulnerabilities. |
|
VCID-a3d5-nsyp-aaaf
Aliases: CVE-2023-4918 GHSA-5q66-v53q-pm35 |
A flaw was found in the Keycloak package, more specifically org.keycloak.userprofile. When a user registers itself through registration flow, the "password" and "password-confirm" field from the form will occur as regular user attributes. All users and clients with proper rights and roles are able to read users attributes, allowing a malicious user with minimal access to retrieve the users passwords in clear text, jeopardizing their environment. |
Affected by 11 other vulnerabilities. |
|
VCID-apu1-t8te-aaaj
Aliases: CVE-2020-1724 GHSA-8xj2-47xw-q78c |
Insufficient Session Expiration A flaw was found in Keycloak which allows a malicious user that is currently logged in, to see the personal information of a previously logged-out user in the account manager section. |
Affected by 41 other vulnerabilities. |
|
VCID-bhub-3j9d-aaaj
Aliases: CVE-2018-10912 GHSA-h7j7-pw3v-3v3x |
Moderate severity vulnerability that affects org.keycloak:keycloak-core |
Affected by 56 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-bv9z-gxuw-aaas
Aliases: CVE-2022-1274 GHSA-m4fv-gm5m-4725 GMS-2023-528 |
HTML Injection in Keycloak Admin REST API |
Affected by 15 other vulnerabilities. |
|
VCID-cd3d-w38e-aaac
Aliases: CVE-2019-10170 GHSA-7m27-3587-83xf |
Privilege Defined With Unsafe Actions in Keycloak |
Affected by 46 other vulnerabilities. |
|
VCID-da4z-mr8a-hfek
Aliases: CVE-2024-10039 GHSA-93ww-43rr-79v3 |
keycloak-core: mTLS passthrough |
Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-den3-5azw-aaak
Aliases: GHSA-c892-cwq6-qrqf |
Duplicate Advisory: Keycloak vulnerable to untrusted certificate validation |
Affected by 13 other vulnerabilities. |
|
VCID-fccp-mqrj-aaaj
Aliases: CVE-2020-14302 |
Authentication Bypass by Capture-replay A flaw was found in Keycloak where an external identity provider, after successful authentication, redirects to a Keycloak endpoint that accepts multiple invocations with the use of the same `state` parameter. This flaw allows a malicious user to perform replay attacks. |
Affected by 26 other vulnerabilities. |
|
VCID-fk8g-8kjz-aaah
Aliases: CVE-2020-1725 GHSA-p225-pc2x-4jpm |
Incorrect Authorization in keycloak |
Affected by 26 other vulnerabilities. |
|
VCID-gfmn-evwc-aaaf
Aliases: CVE-2020-1744 GHSA-4gf2-xv97-63m2 |
Exposure of Sensitive Information in keycloak |
Affected by 1 other vulnerability. Affected by 41 other vulnerabilities. |
|
VCID-j1st-uh9t-aaaf
Aliases: GHSA-755v-r4x4-qf7m GMS-2022-7509 |
Stored Cross-Site Scripting (XSS) in Keycloak via groups dropdown |
Affected by 18 other vulnerabilities. |
|
VCID-j4st-9p5f-aaae
Aliases: CVE-2018-14637 GHSA-gf2j-7qwg-4f5x |
Moderate severity vulnerability that affects org.keycloak:keycloak-core |
Affected by 54 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-j888-b4zp-aaad
Aliases: CVE-2019-14820 GHSA-xfqh-7356-vqjj |
Exposure of Sensitive Information to an Unauthorized Actor in Keycloak |
Affected by 46 other vulnerabilities. |
|
VCID-j9x9-5u7p-aaaj
Aliases: CVE-2021-20262 GHSA-xf46-8vvp-4hxx |
Missing authentication for critical function |
Affected by 34 other vulnerabilities. Affected by 26 other vulnerabilities. |
|
VCID-kfzc-yxas-aaad
Aliases: CVE-2023-6291 GHSA-mpwq-j3xf-7m5w |
The redirect_uri validation logic allows for bypassing explicitly allowed hosts that would otherwise be restricted |
Affected by 9 other vulnerabilities. |
|
VCID-khbc-26kj-aaad
Aliases: CVE-2021-3632 GHSA-qpq9-jpv4-6gwr |
CVE-2021-3632 keycloak: Anyone can register a new device when there is no device registered for passwordless login |
Affected by 24 other vulnerabilities. |
|
VCID-ksng-jvwm-aaar
Aliases: CVE-2020-10776 GHSA-484q-784p-8m5h |
Cross-site Scripting in keycloak |
Affected by 35 other vulnerabilities. |
|
VCID-m3sb-ekyc-aaad
Aliases: CVE-2020-1698 GHSA-qgmm-f2qw-r95f |
Information Exposure A flaw was found in keycloak A logged exception in the HttpMethod class may leak the password given as parameter. The highest threat from this vulnerability is to data confidentiality. |
Affected by 44 other vulnerabilities. |
|
VCID-m93w-vwub-aaab
Aliases: CVE-2020-14389 GHSA-c9x9-xv66-xp3v |
Improper privilege management in Keycloak |
Affected by 35 other vulnerabilities. |
|
VCID-nrxj-tdyg-aaah
Aliases: CVE-2019-10201 GHSA-4fgq-gq9g-3rw7 |
Improper Verification of Cryptographic Signature in keycloak |
Affected by 50 other vulnerabilities. |
|
VCID-p67f-hed7-aaac
Aliases: CVE-2019-3875 GHSA-38cg-gg9j-q9j9 |
Improper Certificate Validation and Insufficient Verification of Data Authenticity in Keycloak |
Affected by 50 other vulnerabilities. |
|
VCID-p6db-yjd1-aaak
Aliases: GHSA-w8v7-c7pm-7wfr |
Duplicate Advisory: Keycloak vulnerable to Cross-Site Scripting (XSS) |
Affected by 19 other vulnerabilities. |
|
VCID-p8eu-wjkn-aaas
Aliases: CVE-2021-3754 GHSA-j9xq-j329-2xvg |
CVE-2021-3754 keycloak: allows using email as username |
Affected by 19 other vulnerabilities. |
|
VCID-pxvj-zt7w-aaae
Aliases: CVE-2020-35509 GHSA-rpj2-w6fr-79hc |
CVE-2020-35509 keycloak: X509 Direct Grant Auth does not verify certificate timestamp validity |
Affected by 25 other vulnerabilities. |
|
VCID-q12f-hsw1-aaam
Aliases: CVE-2020-1718 GHSA-j229-2h63-rvh9 |
Improper Authentication for Keycloak |
Affected by 46 other vulnerabilities. |
|
VCID-q8mt-excf-aaaa
Aliases: CVE-2021-3513 GHSA-xv7h-95r7-595j |
CVE-2021-3513 keycloak: Brute force attack is possible even after the account lockout |
Affected by 26 other vulnerabilities. |
|
VCID-q9y4-889z-aaaa
Aliases: CVE-2020-10770 GHSA-jh7q-5mwf-qvhw |
Server-Side Request Forgery (SSRF) A flaw was found in Keycloak, where it is possible to force the server to call out an unverified URL using the `OIDC` parameter `request_uri`. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack. |
Affected by 34 other vulnerabilities. Affected by 26 other vulnerabilities. |
|
VCID-qc8g-byp9-aaaf
Aliases: CVE-2024-5967 GHSA-c25h-c27q-5qpv GHSA-gmrm-8fx4-66x7 |
keycloak: Leak of configured LDAP bind credentials through the Keycloak admin console |
Affected by 3 other vulnerabilities. |
|
VCID-qg6f-nunh-aaaj
Aliases: CVE-2019-10199 GHSA-p5xp-6vpf-jwvh |
Improper Input Validation and Cross-Site Request Forgery in Keycloak |
Affected by 50 other vulnerabilities. |
|
VCID-qwpr-cqmm-aaaa
Aliases: CVE-2023-0091 GHSA-v436-q368-hvgg GMS-2023-37 |
Keycloak has lack of validation of access token on client registrations endpoint |
Affected by 16 other vulnerabilities. |
|
VCID-tee7-t9fw-aaad
Aliases: CVE-2023-1664 GHSA-5cc8-pgp5-7mpm |
A flaw was found in Keycloak. This flaw depends on a non-default configuration "Revalidate Client Certificate" to be enabled and the reverse proxy is not validating the certificate before Keycloak. Using this method an attacker may choose the certificate which will be validated by the server. If this happens and the KC_SPI_TRUSTSTORE_FILE_FILE variable is missing/misconfigured, any trustfile may be accepted with the logging information of "Cannot validate client certificate trust: Truststore not available". This may not impact availability as the attacker would have no access to the server, but consumer applications Integrity or Confidentiality may be impacted considering a possible access to them. Considering the environment is correctly set to use "Revalidate Client Certificate" this flaw is avoidable. |
Affected by 13 other vulnerabilities. |
|
VCID-twys-dvqv-aaag
Aliases: CVE-2019-14837 GHSA-cf8f-w2c5-p5jr |
CVE-2019-14837 keycloak: keycloak uses hardcoded open dummy domain for new accounts enabling information disclosure |
Affected by 46 other vulnerabilities. |
|
VCID-uutq-q387-vfdd
Aliases: CVE-2024-7260 GHSA-g4gc-rh26-m3p5 |
An open redirect vulnerability was found in Keycloak. A specially crafted URL can be constructed where the referrer and referrer_uri parameters are made to trick a user to visit a malicious webpage. A trusted URL can trick users and automation into believing that the URL is safe, when, in fact, it redirects to a malicious server. This issue can result in a victim inadvertently trusting the destination of the redirect, potentially leading to a successful phishing attack or other types of attacks. Once a crafted URL is made, it can be sent to a Keycloak admin via email for example. This will trigger this vulnerability when the user visits the page and clicks the link. A malicious actor can use this to target users they know are Keycloak admins for further attacks. It may also be possible to bypass other domain-related security checks, such as supplying this as a OAuth redirect uri. The malicious actor can further obfuscate the redirect_uri using URL encoding, to hide the text of the actual malicious website domain. |
Affected by 0 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-vbzs-5utm-tyh7
Aliases: CVE-2024-7318 GHSA-57rh-gr4v-j5f6 |
A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute. A one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid. |
Affected by 0 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-vm3z-fxfc-aaam
Aliases: CVE-2020-1731 GHSA-6pmv-7pr9-cgrj |
Predictable password in Keycloak |
Affected by 45 other vulnerabilities. |
|
VCID-vtrx-4w8y-aaag
Aliases: CVE-2017-12161 GHSA-959q-32g8-vvp7 |
Moderate severity vulnerability that affects org.keycloak:keycloak-core |
Affected by 0 other vulnerabilities. Affected by 57 other vulnerabilities. |
|
VCID-x3t2-vuap-aaaq
Aliases: CVE-2021-20195 GHSA-q6w2-89hq-hq27 |
Cross-site scripting in keycloak |
Affected by 34 other vulnerabilities. Affected by 26 other vulnerabilities. |
|
VCID-xcg8-g3tg-aaae
Aliases: CVE-2018-10894 GHSA-xvv8-8wh9-9fh2 |
Improper Certificate Validation It was found that SAML authentication in Keycloak incorrectly authenticated expired certificates. A malicious user could use this to access unauthorized data or possibly conduct further attacks. |
Affected by 57 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-xjgp-vnyp-aaam
Aliases: CVE-2020-27826 GHSA-m9cj-v55f-8x26 |
Authentication Bypass in keycloak |
Affected by 35 other vulnerabilities. |
|
VCID-ydp2-dstr-aaas
Aliases: CVE-2021-20202 GHSA-6xp6-fmc8-pmmr |
Temporary Directory Hijacking Vulnerability in Keycloak |
Affected by 26 other vulnerabilities. |
|
VCID-zyfe-ntqu-aaap
Aliases: CVE-2022-1466 GHSA-f32v-vf79-p29q |
Improper authorization in Keycloak |
Affected by 21 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||