Search for packages
| purl | pkg:maven/org.keycloak/keycloak-parent@11.0.3 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1m3m-ay28-aaag
Aliases: CVE-2019-14910 GHSA-jf86-9434-f8c2 |
Improper Authentication A vulnerability was found in keycloak, when keycloak is configured with LDAP user federation and StartTLS is used instead of SSL/TLS from the LDAP server (ldaps), in this case user authentication succeeds even if invalid password has entered. | There are no reported fixed by versions. |
|
VCID-6367-jty3-aaak
Aliases: CVE-2022-3782 GHSA-g8q8-fggx-9r3q GMS-2022-8407 |
Keycloak vulnerable to path traversal via double URL encoding |
Affected by 5 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-6gmx-q9wm-aaan
Aliases: CVE-2022-2668 GHSA-q2gp-gph3-88x9 GHSA-wf7g-7h6h-678v |
An issue was discovered in Keycloak that allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled |
Affected by 6 other vulnerabilities. |
|
VCID-6q92-s7v5-aaab
Aliases: CVE-2021-3461 GHSA-cm29-6wx7-p874 |
Insufficient Session Expiration A flaw was found in keycloak where keycloak may fail to logout user session if the logout request comes from external SAML identity provider and Principal Type is set to Attribute [Name]. |
Affected by 12 other vulnerabilities. |
|
VCID-6vyw-xhfa-aaas
Aliases: CVE-2020-14366 GHSA-cp67-8w3w-6h9c |
Path Traversal |
Affected by 18 other vulnerabilities. |
|
VCID-7qnt-1wwt-aaap
Aliases: CVE-2022-3916 GHSA-97g8-xfvw-q4hg GMS-2022-8406 |
Keycloak vulnerable to session takeover with OIDC offline refreshtokens |
Affected by 6 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-b76u-hkzd-aaap
Aliases: CVE-2021-3827 GHSA-4pc7-vqv5-5r3v GMS-2022-1098 |
ECP SAML binding bypasses authentication flows |
Affected by 8 other vulnerabilities. |
|
VCID-cevr-hgfk-aaae
Aliases: CVE-2021-3637 GHSA-2vp8-jv5v-6qh6 |
Allocation of resources without limits or throttling in keycloak-model-infinispan |
Affected by 12 other vulnerabilities. |
|
VCID-dgpm-z9v1-aaak
Aliases: CVE-2023-6927 GHSA-3p75-q5cc-qmj7 |
A flaw was found in Keycloak. This issue may allow an attacker to steal authorization codes or tokens from clients using a wildcard in the JARM response mode "form_post.jwt" which could be used to bypass the security patch implemented to address CVE-2023-6134. |
Affected by 1 other vulnerability. |
|
VCID-djms-xk3f-aaar
Aliases: GHSA-m98g-63qj-fp8j GMS-2022-1097 |
Reflected XSS on clients-registrations endpoint |
Affected by 8 other vulnerabilities. |
|
VCID-fk8g-8kjz-aaah
Aliases: CVE-2020-1725 GHSA-p225-pc2x-4jpm |
Incorrect Authorization in keycloak |
Affected by 14 other vulnerabilities. |
|
VCID-jz37-vdvc-aaap
Aliases: CVE-2022-2256 GHSA-w9mf-83w3-fv49 |
CVE-2022-2256 keycloak: improper input validation permits script injection |
Affected by 6 other vulnerabilities. |
|
VCID-kfzc-yxas-aaad
Aliases: CVE-2023-6291 GHSA-mpwq-j3xf-7m5w |
The redirect_uri validation logic allows for bypassing explicitly allowed hosts that would otherwise be restricted |
Affected by 2 other vulnerabilities. |
|
VCID-khbc-26kj-aaad
Aliases: CVE-2021-3632 GHSA-qpq9-jpv4-6gwr |
CVE-2021-3632 keycloak: Anyone can register a new device when there is no device registered for passwordless login |
Affected by 11 other vulnerabilities. |
|
VCID-ksng-jvwm-aaar
Aliases: CVE-2020-10776 GHSA-484q-784p-8m5h |
Cross-site Scripting in keycloak |
Affected by 18 other vulnerabilities. |
|
VCID-q8mt-excf-aaaa
Aliases: CVE-2021-3513 GHSA-xv7h-95r7-595j |
CVE-2021-3513 keycloak: Brute force attack is possible even after the account lockout |
Affected by 14 other vulnerabilities. |
|
VCID-rfye-2s3j-aaaf
Aliases: CVE-2021-20222 GHSA-2mq8-99q7-55wx |
Code injection in keycloak |
Affected by 18 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-sjz1-u3j6-aaas
Aliases: CVE-2022-4137 GHSA-9hhc-pj4w-w5rv GMS-2023-616 |
Keycloak Cross-site Scripting on OpenID connect login service |
Affected by 3 other vulnerabilities. |
|
VCID-sr91-xpzg-aaad
Aliases: CVE-2020-14359 GHSA-jh6m-3pqw-242h |
Authentication Bypass by Primary Weakness in keycloak |
Affected by 14 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||