Search for packages
| purl | pkg:maven/org.keycloak/keycloak-parent@20.0.0 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1m3m-ay28-aaag
Aliases: CVE-2019-14910 GHSA-jf86-9434-f8c2 |
Improper Authentication A vulnerability was found in keycloak, when keycloak is configured with LDAP user federation and StartTLS is used instead of SSL/TLS from the LDAP server (ldaps), in this case user authentication succeeds even if invalid password has entered. | There are no reported fixed by versions. |
|
VCID-6367-jty3-aaak
Aliases: CVE-2022-3782 GHSA-g8q8-fggx-9r3q GMS-2022-8407 |
Keycloak vulnerable to path traversal via double URL encoding |
Affected by 5 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-7qnt-1wwt-aaap
Aliases: CVE-2022-3916 GHSA-97g8-xfvw-q4hg GMS-2022-8406 |
Keycloak vulnerable to session takeover with OIDC offline refreshtokens |
Affected by 4 other vulnerabilities. |
|
VCID-dgpm-z9v1-aaak
Aliases: CVE-2023-6927 GHSA-3p75-q5cc-qmj7 |
A flaw was found in Keycloak. This issue may allow an attacker to steal authorization codes or tokens from clients using a wildcard in the JARM response mode "form_post.jwt" which could be used to bypass the security patch implemented to address CVE-2023-6134. |
Affected by 1 other vulnerability. |
|
VCID-kfzc-yxas-aaad
Aliases: CVE-2023-6291 GHSA-mpwq-j3xf-7m5w |
The redirect_uri validation logic allows for bypassing explicitly allowed hosts that would otherwise be restricted |
Affected by 2 other vulnerabilities. |
|
VCID-sjz1-u3j6-aaas
Aliases: CVE-2022-4137 GHSA-9hhc-pj4w-w5rv GMS-2023-616 |
Keycloak Cross-site Scripting on OpenID connect login service |
Affected by 3 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||