Search for packages
| purl | pkg:maven/org.keycloak/keycloak-parent@1.0-alpha-3 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-31gq-x8za-3bdz
Aliases: CVE-2020-1725 GHSA-p225-pc2x-4jpm |
Incorrect Authorization in keycloak A flaw was found in keycloak before version 13.0.0. In some scenarios a user still has access to a resource after changing the role mappings in Keycloak and after expiration of the previous access token. |
Affected by 12 other vulnerabilities. |
|
VCID-65b2-56z7-hfan
Aliases: CVE-2022-3916 GHSA-97g8-xfvw-q4hg GMS-2022-8406 |
Keycloak vulnerable to session takeover with OIDC offline refreshtokens An issue was discovered in Keycloak when using a client with the `offline_access` scope. Reuse of session ids across root and user authentication sessions and a lack of root session validation enabled attackers to resolve a user session attached to a different previously authenticated user. This issue most affects users of shared computers. Suppose a user logs out of their account (without clearing their cookies) in a mobile app or similar client that includes the `offline_access` scope, and another user authenticates to the application. In that case, it will share the same root session id, and when utilizing the refresh token, they will be issued a token for the original user. |
Affected by 3 other vulnerabilities. |
|
VCID-6fd9-kenc-8fhc
Aliases: CVE-2020-10776 GHSA-484q-784p-8m5h |
Cross-site Scripting in keycloak A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack. |
Affected by 16 other vulnerabilities. |
|
VCID-6z2u-nghd-sfhk
Aliases: CVE-2020-1717 GHSA-rvfc-g8j5-9ccf |
Generation of Error Message Containing Sensitive Information in Keycloak A flaw was found in Keycloak 7.0.1. A logged in user can do an account email enumeration attack. |
Affected by 19 other vulnerabilities. |
|
VCID-8k4c-w1dp-87du
Aliases: CVE-2021-3632 GHSA-qpq9-jpv4-6gwr |
Keycloak allows anyone to register new security device or key for any user by using WebAuthn password-less login flow A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow. |
Affected by 10 other vulnerabilities. |
|
VCID-929e-njv7-mycr
Aliases: CVE-2020-14366 GHSA-cp67-8w3w-6h9c |
Path Traversal A vulnerability was found in keycloak, where path traversal using URL-encoded path segments in the request is possible because the resources endpoint applies a transformation of the url path to the file path. Only few specific folder hierarchies can be exposed by this flaw |
Affected by 16 other vulnerabilities. |
|
VCID-9czu-nrqb-kfec
Aliases: CVE-2022-2256 GHSA-w9mf-83w3-fv49 |
Keycloak vulnerable to Stored Cross site Scripting (XSS) when loading default roles A Stored XSS vulnerability was reported in the Keycloak Security mailing list, affecting all the versions of Keycloak, including the latest release (18.0.1). The vulnerability allows a privileged attacker to execute malicious scripts in the admin console, abusing of the default roles functionality. ### CVSS 3.1 - **3.8** **Vector String:** AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N **Vector Clarification:** * User interaction is not required as the admin console is regularly used during an administrator's work * The scope is unchanged since the admin console web application is both the vulnerable component and where the exploit executes ### Credits Aytaç Kalıncı, Ilker Bulgurcu, Yasin Yılmaz (@aytackalinci, @smileronin, @yasinyilmaz) - NETAŞ PENTEST TEAM |
Affected by 5 other vulnerabilities. |
|
VCID-au3p-x8uh-j7cv
Aliases: CVE-2022-3782 GHSA-g8q8-fggx-9r3q GMS-2022-8407 |
Keycloak vulnerable to path traversal via double URL encoding Keycloak does not properly validate URLs included in a redirect. An attacker could construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain, or possibly conduct further attacks. |
Affected by 4 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-bsqr-d8vy-vuca
Aliases: CVE-2018-14657 GHSA-85v8-vx4w-q684 |
Keycloak Improper Bruteforce Detection A flaw was found in Keycloak 4.2.1.Final, 4.3.0.Final. When TOPT enabled, an improper implementation of the Brute Force detection algorithm will not enforce its protection measures. |
Affected by 20 other vulnerabilities. Affected by 20 other vulnerabilities. |
|
VCID-cu62-wvqd-a3ed
Aliases: CVE-2020-10758 GHSA-52rg-hpwq-qp56 |
Allocation of Resources Without Limits or Throttling in Keycloak A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the specified keycloak server, all with a Content-Length header value that exceeds the actual byte count of the request body. |
Affected by 17 other vulnerabilities. |
|
VCID-dqcp-m1ty-u7fr
Aliases: CVE-2017-12160 GHSA-qc72-gfvw-76h7 |
Keycloak Oauth Implementation Error It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks. |
Affected by 25 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-ecgn-akb2-2bhh
Aliases: CVE-2020-1694 GHSA-72j4-94rx-cr6w |
Incorrect Permission Assignment for Critical Resource and Permissive List of Allowed Inputs in Keycloak A flaw was found in all versions of Keycloak before 10.0.0, where the NodeJS adapter did not support the verify-token-audience. This flaw results in some users having access to sensitive information outside of their permissions. |
Affected by 19 other vulnerabilities. |
|
VCID-f7ys-kjgb-nyg5
Aliases: CVE-2020-1758 GHSA-c597-f74m-jgc2 |
Improper Certificate Validation and Improper Validation of Certificate with Host Mismatch in Keycloak A flaw was found in Keycloak in versions before 10.0.0, where it does not perform the TLS hostname verification while sending emails using the SMTP server. This flaw allows an attacker to perform a man-in-the-middle (MITM) attack. |
Affected by 19 other vulnerabilities. |
|
VCID-ffj4-zmgw-1kaj
Aliases: CVE-2022-2668 GHSA-wf7g-7h6h-678v |
Keycloak SAML javascript protocol mapper: Uploading of scripts through admin console An issue was discovered in Keycloak allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the `UPLOAD_SCRIPTS` feature is disabled |
Affected by 5 other vulnerabilities. |
|
VCID-ffj8-xhcs-7kfx
Aliases: CVE-2018-14655 GHSA-458h-wv48-fq75 |
Keycloak vulnerable to cross-site scripting via the state parameter A flaw was found in Keycloak 3.4.3.Final, 4.0.0.Beta2, 4.3.0.Final. When using `response_mode=form_post` it is possible to inject arbitrary Javascript-Code via the 'state'-parameter in the authentication URL. This allows an XSS-Attack upon succesfully login. |
Affected by 21 other vulnerabilities. Affected by 20 other vulnerabilities. |
|
VCID-gyrk-cxkp-uyh8
Aliases: CVE-2021-3513 GHSA-xv7h-95r7-595j |
Incorrect implementation of lockout feature in Keycloak A flaw was found in keycloak where a brute force attack is possible even when the permanent lockout feature is enabled. This is due to a wrong error message displayed when wrong credentials are entered. The highest threat from this vulnerability is to confidentiality. |
Affected by 12 other vulnerabilities. |
|
VCID-khfn-ze7d-5fd5
Aliases: CVE-2021-3827 GHSA-4pc7-vqv5-5r3v GMS-2022-1098 |
ECP SAML binding bypasses authentication flows ### Description A flaw was found in keycloak, where the default ECP binding flow allows other authentication flows to be bypassed. By exploiting this behavior an attacker can bypass the MFA authentication by sending a SOAP request with an AuthnRequest and Authorization header with the user's credentials. The highest threat from this vulnerability is to confidentiality and integrity. |
Affected by 7 other vulnerabilities. |
|
VCID-r2r9-z6dp-2ycz
Aliases: CVE-2020-14359 GHSA-jh6m-3pqw-242h |
Keycloak Gatekeeper vulnerable to bypass on using lower case HTTP headers A vulnerability was found in all versions of the deprecated package Keycloak Gatekeeper, where on using lower case HTTP headers (via cURL) we can bypass our Gatekeeper. Lower case headers are also accepted by some webservers (e.g. Jetty). This means there is no protection when we put a Gatekeeper in front of a Jetty server and use lowercase headers. |
Affected by 12 other vulnerabilities. |
|
VCID-ra33-nmra-qkbx
Aliases: CVE-2017-12158 GHSA-v38p-mqq3-m6v5 |
Keycloak Reflected XSS It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server. |
Affected by 22 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-tab1-5msc-nfh5
Aliases: CVE-2020-1718 GHSA-j229-2h63-rvh9 |
Improper Authentication for Keycloak A flaw was found in the reset credential flow in all Keycloak versions before 8.0.0. This flaw allows an attacker to gain unauthorized access to the application. |
Affected by 19 other vulnerabilities. |
|
VCID-ttnf-w73s-zfea
Aliases: GHSA-3p75-q5cc-qmj7 |
Duplicate Advisory: Keycloak Open Redirect vulnerability # Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-9vm7-v8wj-3fqw. This link is maintained to preserve external references. # Original Description A flaw was found in Keycloak. This issue may allow an attacker to steal authorization codes or tokens from clients using a wildcard in the JARM response mode "form_post.jwt" which could be used to bypass the security patch implemented to address CVE-2023-6134. |
Affected by 1 other vulnerability. |
|
VCID-ynan-6bh4-cfhq
Aliases: CVE-2023-6291 GHSA-mpwq-j3xf-7m5w |
The redirect_uri validation logic allows for bypassing explicitly allowed hosts that would otherwise be restricted An issue was found in the redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts. The problem arises in the verifyRedirectUri method, which attempts to enforce rules on user-controllable input, but essentially causes a desynchronization in how Keycloak and browsers interpret URLs. Keycloak, for example, receives "[www%2ekeycloak%2eorg%2fapp%2f:y@example.com](https://www%2ekeycloak%2eorg%2fapp%2f:y@example.com/)" and thinks the authority to be keycloak.org when it is actually example.com. This happens because the validation logic is performed on a URL decoded version, which no longer represents the original input. ### Acknowledgements Karel Knibbe |
Affected by 2 other vulnerabilities. |
|
VCID-z3cr-n3zh-2fbn
Aliases: CVE-2021-3637 GHSA-2vp8-jv5v-6qh6 |
Allocation of resources without limits or throttling in keycloak-model-infinispan A flaw was found in keycloak-model-infinispan in keycloak versions before 14.0.0 where authenticationSessions map in RootAuthenticationSessionEntity grows boundlessly which could lead to a DoS attack. |
Affected by 11 other vulnerabilities. |
|
VCID-z3pw-p7yr-hydr
Aliases: CVE-2020-10748 GHSA-hgpg-593r-hhvp |
Cross-site Scripting in Keycloak A flaw was found in Keycloak's data filter, in version 10.0.1, where it allowed the processing of data URLs in some circumstances. This flaw allows an attacker to conduct cross-site scripting or further attacks. |
Affected by 18 other vulnerabilities. |
|
VCID-zx77-xapa-gfcr
Aliases: CVE-2017-12159 GHSA-7fmw-85qm-h22p |
Affected by 22 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||