Search for packages
| purl | pkg:maven/org.keycloak/keycloak-model-jpa@1.0-beta-1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1rh2-4svp-xffr
Aliases: CVE-2023-6563 GHSA-54f3-c6hg-865h |
Allocation of Resources Without Limits in Keycloak An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the "consents" tab of the admin User Interface, the UI attempts to load a huge number of offline client sessions leading to excessive memory and CPU consumption which could potentially crash the entire system. |
Affected by 1 other vulnerability. |
|
VCID-2rs5-mk86-tuhn
Aliases: CVE-2019-14832 GHSA-8prc-58j4-m55q |
Keycloak Unauthenticated Access A flaw was found in the Keycloak REST API before version 8.0.0, implemented in Keycloak before 7.0.1 where it would permit user access from a realm the user was not configured. An authenticated attacker with knowledge of a user id could use this flaw to access unauthorized information or to carry out further attacks. |
Affected by 10 other vulnerabilities. |
|
VCID-31gq-x8za-3bdz
Aliases: CVE-2020-1725 GHSA-p225-pc2x-4jpm |
Incorrect Authorization in keycloak A flaw was found in keycloak before version 13.0.0. In some scenarios a user still has access to a resource after changing the role mappings in Keycloak and after expiration of the previous access token. |
Affected by 3 other vulnerabilities. |
|
VCID-3dnq-gcve-ufc6
Aliases: CVE-2020-10770 GHSA-jh7q-5mwf-qvhw |
Keycloak vulnerable to Server-Side Request Forgery A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter `request_uri`. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack. |
Affected by 7 other vulnerabilities. |
|
VCID-65b2-56z7-hfan
Aliases: CVE-2022-3916 GHSA-97g8-xfvw-q4hg GMS-2022-8406 |
Keycloak vulnerable to session takeover with OIDC offline refreshtokens An issue was discovered in Keycloak when using a client with the `offline_access` scope. Reuse of session ids across root and user authentication sessions and a lack of root session validation enabled attackers to resolve a user session attached to a different previously authenticated user. This issue most affects users of shared computers. Suppose a user logs out of their account (without clearing their cookies) in a mobile app or similar client that includes the `offline_access` scope, and another user authenticates to the application. In that case, it will share the same root session id, and when utilizing the refresh token, they will be issued a token for the original user. |
Affected by 2 other vulnerabilities. |
|
VCID-6fd9-kenc-8fhc
Aliases: CVE-2020-10776 GHSA-484q-784p-8m5h |
Cross-site Scripting in keycloak A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack. |
Affected by 9 other vulnerabilities. |
|
VCID-m9nn-mnr2-2qbq
Aliases: CVE-2020-27838 GHSA-pcv5-m2wh-66j3 |
Keycloak discloses information without authentication A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this vulnerability is to data confidentiality. |
Affected by 3 other vulnerabilities. |
|
VCID-xamp-qeqk-3qc1
Aliases: CVE-2020-14302 |
keycloak: reusable "state" parameter at redirect_uri endpoint enables possibility of replay attacks |
Affected by 3 other vulnerabilities. |
|
VCID-xjby-9929-kyed
Aliases: CVE-2020-14389 GHSA-c9x9-xv66-xp3v |
Improper privilege management in Keycloak A flaw was found in Keycloak, where it would permit a user with a view-profile role to manage the resources in the new account console. This flaw allows a user with a view-profile role to access and modify data for which the user does not have adequate permission. |
Affected by 9 other vulnerabilities. |
|
VCID-ynan-6bh4-cfhq
Aliases: CVE-2023-6291 GHSA-mpwq-j3xf-7m5w |
The redirect_uri validation logic allows for bypassing explicitly allowed hosts that would otherwise be restricted An issue was found in the redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts. The problem arises in the verifyRedirectUri method, which attempts to enforce rules on user-controllable input, but essentially causes a desynchronization in how Keycloak and browsers interpret URLs. Keycloak, for example, receives "[www%2ekeycloak%2eorg%2fapp%2f:y@example.com](https://www%2ekeycloak%2eorg%2fapp%2f:y@example.com/)" and thinks the authority to be keycloak.org when it is actually example.com. This happens because the validation logic is performed on a URL decoded version, which no longer represents the original input. ### Acknowledgements Karel Knibbe |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||