Search for packages
| purl | pkg:maven/org.keycloak/keycloak-model-infinispan@3.4.1.Final |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2rs5-mk86-tuhn
Aliases: CVE-2019-14832 GHSA-8prc-58j4-m55q |
Keycloak Unauthenticated Access A flaw was found in the Keycloak REST API before version 8.0.0, implemented in Keycloak before 7.0.1 where it would permit user access from a realm the user was not configured. An authenticated attacker with knowledge of a user id could use this flaw to access unauthorized information or to carry out further attacks. |
Affected by 3 other vulnerabilities. |
|
VCID-65b2-56z7-hfan
Aliases: CVE-2022-3916 GHSA-97g8-xfvw-q4hg GMS-2022-8406 |
Keycloak vulnerable to session takeover with OIDC offline refreshtokens An issue was discovered in Keycloak when using a client with the `offline_access` scope. Reuse of session ids across root and user authentication sessions and a lack of root session validation enabled attackers to resolve a user session attached to a different previously authenticated user. This issue most affects users of shared computers. Suppose a user logs out of their account (without clearing their cookies) in a mobile app or similar client that includes the `offline_access` scope, and another user authenticates to the application. In that case, it will share the same root session id, and when utilizing the refresh token, they will be issued a token for the original user. |
Affected by 1 other vulnerability. |
|
VCID-ynan-6bh4-cfhq
Aliases: CVE-2023-6291 GHSA-mpwq-j3xf-7m5w |
The redirect_uri validation logic allows for bypassing explicitly allowed hosts that would otherwise be restricted An issue was found in the redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts. The problem arises in the verifyRedirectUri method, which attempts to enforce rules on user-controllable input, but essentially causes a desynchronization in how Keycloak and browsers interpret URLs. Keycloak, for example, receives "[www%2ekeycloak%2eorg%2fapp%2f:y@example.com](https://www%2ekeycloak%2eorg%2fapp%2f:y@example.com/)" and thinks the authority to be keycloak.org when it is actually example.com. This happens because the validation logic is performed on a URL decoded version, which no longer represents the original input. ### Acknowledgements Karel Knibbe |
Affected by 0 other vulnerabilities. |
|
VCID-z3cr-n3zh-2fbn
Aliases: CVE-2021-3637 GHSA-2vp8-jv5v-6qh6 |
Allocation of resources without limits or throttling in keycloak-model-infinispan A flaw was found in keycloak-model-infinispan in keycloak versions before 14.0.0 where authenticationSessions map in RootAuthenticationSessionEntity grows boundlessly which could lead to a DoS attack. |
Affected by 2 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2025-08-01T11:31:57.524996+00:00 | GitLab Importer | Affected by | VCID-ynan-6bh4-cfhq | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.keycloak/keycloak-model-infinispan/CVE-2023-6291.yml | 37.0.0 |
| 2025-08-01T11:20:44.301146+00:00 | GitLab Importer | Affected by | VCID-65b2-56z7-hfan | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.keycloak/keycloak-model-infinispan/CVE-2022-3916.yml | 37.0.0 |
| 2025-08-01T10:31:42.386780+00:00 | GitLab Importer | Affected by | VCID-2rs5-mk86-tuhn | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.keycloak/keycloak-model-infinispan/CVE-2019-14832.yml | 37.0.0 |
| 2025-08-01T09:58:58.671221+00:00 | GitLab Importer | Affected by | VCID-z3cr-n3zh-2fbn | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.keycloak/keycloak-model-infinispan/CVE-2021-3637.yml | 37.0.0 |