Search for packages
| purl | pkg:maven/org.keycloak/keycloak-parent@11.0.2 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-31gq-x8za-3bdz
Aliases: CVE-2020-1725 GHSA-p225-pc2x-4jpm |
Incorrect Authorization in keycloak A flaw was found in keycloak before version 13.0.0. In some scenarios a user still has access to a resource after changing the role mappings in Keycloak and after expiration of the previous access token. |
Affected by 12 other vulnerabilities. |
|
VCID-4wff-yxx3-fudx
Aliases: GHSA-m98g-63qj-fp8j GMS-2022-1097 |
Reflected XSS on clients-registrations endpoint A POST based reflected Cross Site Scripting vulnerability on has been identified in Keycloak. When a malicious request is sent to the client registration endpoint, the error message is not properly escaped, allowing an attacker to execute malicious scripts into the user's browser. ### Acknowledgement Keycloak would like to thank Quentin TEXIER (Pentester at Opencyber) for reporting this issue. |
Affected by 7 other vulnerabilities. |
|
VCID-65b2-56z7-hfan
Aliases: CVE-2022-3916 GHSA-97g8-xfvw-q4hg GMS-2022-8406 |
Keycloak vulnerable to session takeover with OIDC offline refreshtokens An issue was discovered in Keycloak when using a client with the `offline_access` scope. Reuse of session ids across root and user authentication sessions and a lack of root session validation enabled attackers to resolve a user session attached to a different previously authenticated user. This issue most affects users of shared computers. Suppose a user logs out of their account (without clearing their cookies) in a mobile app or similar client that includes the `offline_access` scope, and another user authenticates to the application. In that case, it will share the same root session id, and when utilizing the refresh token, they will be issued a token for the original user. |
Affected by 3 other vulnerabilities. |
|
VCID-6fd9-kenc-8fhc
Aliases: CVE-2020-10776 GHSA-484q-784p-8m5h |
Cross-site Scripting in keycloak A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack. |
Affected by 16 other vulnerabilities. |
|
VCID-8k4c-w1dp-87du
Aliases: CVE-2021-3632 GHSA-qpq9-jpv4-6gwr |
Keycloak allows anyone to register new security device or key for any user by using WebAuthn password-less login flow A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow. |
Affected by 10 other vulnerabilities. |
|
VCID-929e-njv7-mycr
Aliases: CVE-2020-14366 GHSA-cp67-8w3w-6h9c |
Path Traversal A vulnerability was found in keycloak, where path traversal using URL-encoded path segments in the request is possible because the resources endpoint applies a transformation of the url path to the file path. Only few specific folder hierarchies can be exposed by this flaw |
Affected by 16 other vulnerabilities. |
|
VCID-9czu-nrqb-kfec
Aliases: CVE-2022-2256 GHSA-w9mf-83w3-fv49 |
Keycloak vulnerable to Stored Cross site Scripting (XSS) when loading default roles A Stored XSS vulnerability was reported in the Keycloak Security mailing list, affecting all the versions of Keycloak, including the latest release (18.0.1). The vulnerability allows a privileged attacker to execute malicious scripts in the admin console, abusing of the default roles functionality. ### CVSS 3.1 - **3.8** **Vector String:** AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N **Vector Clarification:** * User interaction is not required as the admin console is regularly used during an administrator's work * The scope is unchanged since the admin console web application is both the vulnerable component and where the exploit executes ### Credits Aytaç Kalıncı, Ilker Bulgurcu, Yasin Yılmaz (@aytackalinci, @smileronin, @yasinyilmaz) - NETAŞ PENTEST TEAM |
Affected by 5 other vulnerabilities. |
|
VCID-au3p-x8uh-j7cv
Aliases: CVE-2022-3782 GHSA-g8q8-fggx-9r3q GMS-2022-8407 |
Keycloak vulnerable to path traversal via double URL encoding Keycloak does not properly validate URLs included in a redirect. An attacker could construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain, or possibly conduct further attacks. |
Affected by 4 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-dtkn-4bxm-2qaj
Aliases: CVE-2021-20222 GHSA-2mq8-99q7-55wx |
Code injection in keycloak A flaw was found in keycloak. The new account console in keycloak can allow malicious code to be executed using the referrer URL. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. |
Affected by 16 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-ffj4-zmgw-1kaj
Aliases: CVE-2022-2668 GHSA-wf7g-7h6h-678v |
Keycloak SAML javascript protocol mapper: Uploading of scripts through admin console An issue was discovered in Keycloak allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the `UPLOAD_SCRIPTS` feature is disabled |
Affected by 5 other vulnerabilities. |
|
VCID-gyrk-cxkp-uyh8
Aliases: CVE-2021-3513 GHSA-xv7h-95r7-595j |
Incorrect implementation of lockout feature in Keycloak A flaw was found in keycloak where a brute force attack is possible even when the permanent lockout feature is enabled. This is due to a wrong error message displayed when wrong credentials are entered. The highest threat from this vulnerability is to confidentiality. |
Affected by 12 other vulnerabilities. |
|
VCID-hjtx-9nxd-effu
Aliases: CVE-2019-14910 GHSA-jf86-9434-f8c2 |
Keycloak Authentication Error A vulnerability was found in keycloak 7.x, when keycloak is configured with LDAP user federation and StartTLS is used instead of SSL/TLS from the LDAP server (ldaps), in this case user authentication succeeds even if invalid password has entered. | There are no reported fixed by versions. |
|
VCID-khfn-ze7d-5fd5
Aliases: CVE-2021-3827 GHSA-4pc7-vqv5-5r3v GMS-2022-1098 |
ECP SAML binding bypasses authentication flows ### Description A flaw was found in keycloak, where the default ECP binding flow allows other authentication flows to be bypassed. By exploiting this behavior an attacker can bypass the MFA authentication by sending a SOAP request with an AuthnRequest and Authorization header with the user's credentials. The highest threat from this vulnerability is to confidentiality and integrity. |
Affected by 7 other vulnerabilities. |
|
VCID-r2r9-z6dp-2ycz
Aliases: CVE-2020-14359 GHSA-jh6m-3pqw-242h |
Keycloak Gatekeeper vulnerable to bypass on using lower case HTTP headers A vulnerability was found in all versions of the deprecated package Keycloak Gatekeeper, where on using lower case HTTP headers (via cURL) we can bypass our Gatekeeper. Lower case headers are also accepted by some webservers (e.g. Jetty). This means there is no protection when we put a Gatekeeper in front of a Jetty server and use lowercase headers. |
Affected by 12 other vulnerabilities. |
|
VCID-ttnf-w73s-zfea
Aliases: GHSA-3p75-q5cc-qmj7 |
Duplicate Advisory: Keycloak Open Redirect vulnerability # Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-9vm7-v8wj-3fqw. This link is maintained to preserve external references. # Original Description A flaw was found in Keycloak. This issue may allow an attacker to steal authorization codes or tokens from clients using a wildcard in the JARM response mode "form_post.jwt" which could be used to bypass the security patch implemented to address CVE-2023-6134. |
Affected by 1 other vulnerability. |
|
VCID-ynan-6bh4-cfhq
Aliases: CVE-2023-6291 GHSA-mpwq-j3xf-7m5w |
The redirect_uri validation logic allows for bypassing explicitly allowed hosts that would otherwise be restricted An issue was found in the redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts. The problem arises in the verifyRedirectUri method, which attempts to enforce rules on user-controllable input, but essentially causes a desynchronization in how Keycloak and browsers interpret URLs. Keycloak, for example, receives "[www%2ekeycloak%2eorg%2fapp%2f:y@example.com](https://www%2ekeycloak%2eorg%2fapp%2f:y@example.com/)" and thinks the authority to be keycloak.org when it is actually example.com. This happens because the validation logic is performed on a URL decoded version, which no longer represents the original input. ### Acknowledgements Karel Knibbe |
Affected by 2 other vulnerabilities. |
|
VCID-z3cr-n3zh-2fbn
Aliases: CVE-2021-3637 GHSA-2vp8-jv5v-6qh6 |
Allocation of resources without limits or throttling in keycloak-model-infinispan A flaw was found in keycloak-model-infinispan in keycloak versions before 14.0.0 where authenticationSessions map in RootAuthenticationSessionEntity grows boundlessly which could lead to a DoS attack. |
Affected by 11 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||