VulnerableCode Package Details - pkg:maven/org.keycloak/keycloak-model-infinispan@7.0.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-65b2-56z7-hfan Aliases: CVE-2022-3916 GHSA-97g8-xfvw-q4hg GMS-2022-8406	Keycloak vulnerable to session takeover with OIDC offline refreshtokens An issue was discovered in Keycloak when using a client with the `offline_access` scope. Reuse of session ids across root and user authentication sessions and a lack of root session validation enabled attackers to resolve a user session attached to a different previously authenticated user. This issue most affects users of shared computers. Suppose a user logs out of their account (without clearing their cookies) in a mobile app or similar client that includes the `offline_access` scope, and another user authenticates to the application. In that case, it will share the same root session id, and when utilizing the refresh token, they will be issued a token for the original user.	20.0.2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-ynan-6bh4-cfhq Aliases: CVE-2023-6291 GHSA-mpwq-j3xf-7m5w	The redirect_uri validation logic allows for bypassing explicitly allowed hosts that would otherwise be restricted An issue was found in the redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts. The problem arises in the verifyRedirectUri method, which attempts to enforce rules on user-controllable input, but essentially causes a desynchronization in how Keycloak and browsers interpret URLs. Keycloak, for example, receives "[www%2ekeycloak%2eorg%2fapp%2f:y@example.com](https://www%2ekeycloak%2eorg%2fapp%2f:y@example.com/)" and thinks the authority to be keycloak.org when it is actually example.com. This happens because the validation logic is performed on a URL decoded version, which no longer represents the original input. ### Acknowledgements Karel Knibbe	23.0.0 Affected by 0 other vulnerabilities.
VCID-z3cr-n3zh-2fbn Aliases: CVE-2021-3637 GHSA-2vp8-jv5v-6qh6	Allocation of resources without limits or throttling in keycloak-model-infinispan A flaw was found in keycloak-model-infinispan in keycloak versions before 14.0.0 where authenticationSessions map in RootAuthenticationSessionEntity grows boundlessly which could lead to a DoS attack.	14.0.0 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-65b2-56z7-hfan
Aliases:
CVE-2022-3916
GHSA-97g8-xfvw-q4hg
GMS-2022-8406

Keycloak vulnerable to session takeover with OIDC offline refreshtokens An issue was discovered in Keycloak when using a client with the `offline_access` scope. Reuse of session ids across root and user authentication sessions and a lack of root session validation enabled attackers to resolve a user session attached to a different previously authenticated user. This issue most affects users of shared computers. Suppose a user logs out of their account (without clearing their cookies) in a mobile app or similar client that includes the `offline_access` scope, and another user authenticates to the application. In that case, it will share the same root session id, and when utilizing the refresh token, they will be issued a token for the original user.

20.0.2
Affected by 1 other vulnerability.

VCID-ynan-6bh4-cfhq
Aliases:
CVE-2023-6291
GHSA-mpwq-j3xf-7m5w

The redirect_uri validation logic allows for bypassing explicitly allowed hosts that would otherwise be restricted An issue was found in the redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts. The problem arises in the verifyRedirectUri method, which attempts to enforce rules on user-controllable input, but essentially causes a desynchronization in how Keycloak and browsers interpret URLs. Keycloak, for example, receives "[www%2ekeycloak%2eorg%2fapp%2f:y@example.com](https://www%2ekeycloak%2eorg%2fapp%2f:y@example.com/)" and thinks the authority to be keycloak.org when it is actually example.com. This happens because the validation logic is performed on a URL decoded version, which no longer represents the original input. ### Acknowledgements Karel Knibbe

23.0.0
Affected by 0 other vulnerabilities.

VCID-z3cr-n3zh-2fbn
Aliases:
CVE-2021-3637
GHSA-2vp8-jv5v-6qh6

Allocation of resources without limits or throttling in keycloak-model-infinispan A flaw was found in keycloak-model-infinispan in keycloak versions before 14.0.0 where authenticationSessions map in RootAuthenticationSessionEntity grows boundlessly which could lead to a DoS attack.

14.0.0
Affected by 2 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-2rs5-mk86-tuhn	Keycloak Unauthenticated Access A flaw was found in the Keycloak REST API before version 8.0.0, implemented in Keycloak before 7.0.1 where it would permit user access from a realm the user was not configured. An authenticated attacker with knowledge of a user id could use this flaw to access unauthorized information or to carry out further attacks.	CVE-2019-14832 GHSA-8prc-58j4-m55q

Vulnerability

Summary

Aliases

VCID-2rs5-mk86-tuhn

Keycloak Unauthenticated Access A flaw was found in the Keycloak REST API before version 8.0.0, implemented in Keycloak before 7.0.1 where it would permit user access from a realm the user was not configured. An authenticated attacker with knowledge of a user id could use this flaw to access unauthorized information or to carry out further attacks.

CVE-2019-14832
GHSA-8prc-58j4-m55q

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-08-02T12:43:37.627572+00:00	GHSA Importer	Fixing	VCID-2rs5-mk86-tuhn	https://github.com/advisories/GHSA-8prc-58j4-m55q	37.0.0
2025-08-01T11:31:57.632559+00:00	GitLab Importer	Affected by	VCID-ynan-6bh4-cfhq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.keycloak/keycloak-model-infinispan/CVE-2023-6291.yml	37.0.0
2025-08-01T11:20:44.405155+00:00	GitLab Importer	Affected by	VCID-65b2-56z7-hfan	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.keycloak/keycloak-model-infinispan/CVE-2022-3916.yml	37.0.0
2025-08-01T10:31:42.494011+00:00	GitLab Importer	Fixing	VCID-2rs5-mk86-tuhn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.keycloak/keycloak-model-infinispan/CVE-2019-14832.yml	37.0.0
2025-08-01T09:58:58.811827+00:00	GitLab Importer	Affected by	VCID-z3cr-n3zh-2fbn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.keycloak/keycloak-model-infinispan/CVE-2021-3637.yml	37.0.0
2025-07-31T09:08:47.160673+00:00	GithubOSV Importer	Fixing	VCID-2rs5-mk86-tuhn	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-8prc-58j4-m55q/GHSA-8prc-58j4-m55q.json	37.0.0