Search for packages
| purl | pkg:maven/org.keycloak/keycloak-parent@1.0-alpha-4 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1eym-s789-aaad
Aliases: CVE-2020-1694 GHSA-72j4-94rx-cr6w |
Incorrect Permission Assignment for Critical Resource and Permissive List of Allowed Inputs in Keycloak |
Affected by 22 other vulnerabilities. |
|
VCID-5upe-kfg1-aaag
Aliases: CVE-2020-1758 GHSA-c597-f74m-jgc2 |
Improper Certificate Validation and Improper Validation of Certificate with Host Mismatch in Keycloak |
Affected by 22 other vulnerabilities. |
|
VCID-6367-jty3-aaak
Aliases: CVE-2022-3782 GHSA-g8q8-fggx-9r3q GMS-2022-8407 |
Keycloak vulnerable to path traversal via double URL encoding |
Affected by 5 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-6gmx-q9wm-aaan
Aliases: CVE-2022-2668 GHSA-q2gp-gph3-88x9 GHSA-wf7g-7h6h-678v |
An issue was discovered in Keycloak that allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled |
Affected by 6 other vulnerabilities. |
|
VCID-6q92-s7v5-aaab
Aliases: CVE-2021-3461 GHSA-cm29-6wx7-p874 |
Insufficient Session Expiration A flaw was found in keycloak where keycloak may fail to logout user session if the logout request comes from external SAML identity provider and Principal Type is set to Attribute [Name]. |
Affected by 12 other vulnerabilities. |
|
VCID-6vyw-xhfa-aaas
Aliases: CVE-2020-14366 GHSA-cp67-8w3w-6h9c |
Path Traversal |
Affected by 18 other vulnerabilities. |
|
VCID-7qnt-1wwt-aaap
Aliases: CVE-2022-3916 GHSA-97g8-xfvw-q4hg GMS-2022-8406 |
Keycloak vulnerable to session takeover with OIDC offline refreshtokens |
Affected by 6 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-a37b-qrj9-aaaf
Aliases: CVE-2020-1714 GHSA-m6mm-q862-j366 |
Improper Input Validation in Keycloak |
Affected by 20 other vulnerabilities. |
|
VCID-b76u-hkzd-aaap
Aliases: CVE-2021-3827 GHSA-4pc7-vqv5-5r3v GMS-2022-1098 |
ECP SAML binding bypasses authentication flows |
Affected by 8 other vulnerabilities. |
|
VCID-cevr-hgfk-aaae
Aliases: CVE-2021-3637 GHSA-2vp8-jv5v-6qh6 |
Allocation of resources without limits or throttling in keycloak-model-infinispan |
Affected by 12 other vulnerabilities. |
|
VCID-cvan-qun2-aaac
Aliases: CVE-2020-1717 GHSA-rvfc-g8j5-9ccf |
Generation of Error Message Containing Sensitive Information in keybloack |
Affected by 22 other vulnerabilities. |
|
VCID-dgpm-z9v1-aaak
Aliases: CVE-2023-6927 GHSA-3p75-q5cc-qmj7 |
A flaw was found in Keycloak. This issue may allow an attacker to steal authorization codes or tokens from clients using a wildcard in the JARM response mode "form_post.jwt" which could be used to bypass the security patch implemented to address CVE-2023-6134. |
Affected by 1 other vulnerability. |
|
VCID-fk8g-8kjz-aaah
Aliases: CVE-2020-1725 GHSA-p225-pc2x-4jpm |
Incorrect Authorization in keycloak |
Affected by 14 other vulnerabilities. |
|
VCID-hbzw-6rfa-aaar
Aliases: CVE-2017-12160 GHSA-qc72-gfvw-76h7 |
It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks. |
Affected by 27 other vulnerabilities. |
|
VCID-jdh1-qm39-aaab
Aliases: CVE-2020-10758 GHSA-52rg-hpwq-qp56 |
Allocation of Resources Without Limits or Throttling in Keycloak |
Affected by 19 other vulnerabilities. |
|
VCID-jz37-vdvc-aaap
Aliases: CVE-2022-2256 GHSA-w9mf-83w3-fv49 |
CVE-2022-2256 keycloak: improper input validation permits script injection |
Affected by 6 other vulnerabilities. |
|
VCID-k7jg-jyxm-aaaj
Aliases: CVE-2017-12158 GHSA-v38p-mqq3-m6v5 |
It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server. |
Affected by 25 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-kfzc-yxas-aaad
Aliases: CVE-2023-6291 GHSA-mpwq-j3xf-7m5w |
The redirect_uri validation logic allows for bypassing explicitly allowed hosts that would otherwise be restricted |
Affected by 2 other vulnerabilities. |
|
VCID-khbc-26kj-aaad
Aliases: CVE-2021-3632 GHSA-qpq9-jpv4-6gwr |
CVE-2021-3632 keycloak: Anyone can register a new device when there is no device registered for passwordless login |
Affected by 11 other vulnerabilities. |
|
VCID-ksng-jvwm-aaar
Aliases: CVE-2020-10776 GHSA-484q-784p-8m5h |
Cross-site Scripting in keycloak |
Affected by 18 other vulnerabilities. |
|
VCID-pmym-rq6e-aaas
Aliases: CVE-2018-14655 GHSA-458h-wv48-fq75 |
Cross-site Scripting When using `response_mode=form_post` it is possible to inject arbitrary Javascript-Code via the `state`-parameter in the authentication URL. This allows an XSS-Attack upon succesfully login. |
Affected by 24 other vulnerabilities. Affected by 23 other vulnerabilities. |
|
VCID-prd7-wjzq-aaar
Aliases: CVE-2017-12159 GHSA-7fmw-85qm-h22p |
CVE-2017-12159 keycloak: CSRF token fixation |
Affected by 25 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-q12f-hsw1-aaam
Aliases: CVE-2020-1718 GHSA-j229-2h63-rvh9 |
Improper Authentication for Keycloak |
Affected by 22 other vulnerabilities. |
|
VCID-q8mt-excf-aaaa
Aliases: CVE-2021-3513 GHSA-xv7h-95r7-595j |
CVE-2021-3513 keycloak: Brute force attack is possible even after the account lockout |
Affected by 14 other vulnerabilities. |
|
VCID-sjz1-u3j6-aaas
Aliases: CVE-2022-4137 GHSA-9hhc-pj4w-w5rv GMS-2023-616 |
Keycloak Cross-site Scripting on OpenID connect login service |
Affected by 3 other vulnerabilities. |
|
VCID-sr91-xpzg-aaad
Aliases: CVE-2020-14359 GHSA-jh6m-3pqw-242h |
Authentication Bypass by Primary Weakness in keycloak |
Affected by 14 other vulnerabilities. |
|
VCID-tj6m-xz2w-aaak
Aliases: CVE-2018-14657 GHSA-85v8-vx4w-q684 |
Improper Authentication When TOPT enabled, an improper implementation of the Brute Force detection algorithm will not enforce its protection measures. |
Affected by 23 other vulnerabilities. Affected by 23 other vulnerabilities. |
|
VCID-zejc-g1wg-aaad
Aliases: CVE-2020-10748 GHSA-hgpg-593r-hhvp |
Cross-site Scripting in Keycloak |
Affected by 21 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||