Search for packages
| purl | pkg:maven/org.keycloak/keycloak-parent@15.0.0 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1m3m-ay28-aaag
Aliases: CVE-2019-14910 GHSA-jf86-9434-f8c2 |
Improper Authentication A vulnerability was found in keycloak, when keycloak is configured with LDAP user federation and StartTLS is used instead of SSL/TLS from the LDAP server (ldaps), in this case user authentication succeeds even if invalid password has entered. | There are no reported fixed by versions. |
|
VCID-4zcy-bbkq-aaaf
Aliases: CVE-2021-4133 GHSA-83x4-9cwr-5487 |
Improper Authorization in Keycloak |
Affected by 10 other vulnerabilities. |
|
VCID-6367-jty3-aaak
Aliases: CVE-2022-3782 GHSA-g8q8-fggx-9r3q GMS-2022-8407 |
Keycloak vulnerable to path traversal via double URL encoding |
Affected by 5 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-6gmx-q9wm-aaan
Aliases: CVE-2022-2668 GHSA-q2gp-gph3-88x9 GHSA-wf7g-7h6h-678v |
An issue was discovered in Keycloak that allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled |
Affected by 6 other vulnerabilities. |
|
VCID-7qnt-1wwt-aaap
Aliases: CVE-2022-3916 GHSA-97g8-xfvw-q4hg GMS-2022-8406 |
Keycloak vulnerable to session takeover with OIDC offline refreshtokens |
Affected by 6 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-b76u-hkzd-aaap
Aliases: CVE-2021-3827 GHSA-4pc7-vqv5-5r3v GMS-2022-1098 |
ECP SAML binding bypasses authentication flows |
Affected by 8 other vulnerabilities. |
|
VCID-dgpm-z9v1-aaak
Aliases: CVE-2023-6927 GHSA-3p75-q5cc-qmj7 |
A flaw was found in Keycloak. This issue may allow an attacker to steal authorization codes or tokens from clients using a wildcard in the JARM response mode "form_post.jwt" which could be used to bypass the security patch implemented to address CVE-2023-6134. |
Affected by 1 other vulnerability. |
|
VCID-djms-xk3f-aaar
Aliases: GHSA-m98g-63qj-fp8j GMS-2022-1097 |
Reflected XSS on clients-registrations endpoint |
Affected by 8 other vulnerabilities. |
|
VCID-jz37-vdvc-aaap
Aliases: CVE-2022-2256 GHSA-w9mf-83w3-fv49 |
CVE-2022-2256 keycloak: improper input validation permits script injection |
Affected by 6 other vulnerabilities. |
|
VCID-kfzc-yxas-aaad
Aliases: CVE-2023-6291 GHSA-mpwq-j3xf-7m5w |
The redirect_uri validation logic allows for bypassing explicitly allowed hosts that would otherwise be restricted |
Affected by 2 other vulnerabilities. |
|
VCID-khbc-26kj-aaad
Aliases: CVE-2021-3632 GHSA-qpq9-jpv4-6gwr |
CVE-2021-3632 keycloak: Anyone can register a new device when there is no device registered for passwordless login |
Affected by 11 other vulnerabilities. |
|
VCID-sjz1-u3j6-aaas
Aliases: CVE-2022-4137 GHSA-9hhc-pj4w-w5rv GMS-2023-616 |
Keycloak Cross-site Scripting on OpenID connect login service |
Affected by 3 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||