Search for packages
| purl | pkg:maven/org.keycloak/keycloak-saml-core-public@9.0.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-65b2-56z7-hfan
Aliases: CVE-2022-3916 GHSA-97g8-xfvw-q4hg GMS-2022-8406 |
Keycloak vulnerable to session takeover with OIDC offline refreshtokens An issue was discovered in Keycloak when using a client with the `offline_access` scope. Reuse of session ids across root and user authentication sessions and a lack of root session validation enabled attackers to resolve a user session attached to a different previously authenticated user. This issue most affects users of shared computers. Suppose a user logs out of their account (without clearing their cookies) in a mobile app or similar client that includes the `offline_access` scope, and another user authenticates to the application. In that case, it will share the same root session id, and when utilizing the refresh token, they will be issued a token for the original user. |
Affected by 1 other vulnerability. |
|
VCID-c3gj-w7y1-d3dm
Aliases: CVE-2022-1466 GHSA-f32v-vf79-p29q |
Improper authorization in Keycloak Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted. |
Affected by 3 other vulnerabilities. |
|
VCID-g4dm-rd3v-tbcp
Aliases: CVE-2022-1245 GHSA-75p6-52g3-rqc8 GMS-2022-1039 |
Keycloak vulnerable to privilege escalation on Token Exchange feature A privilege escalation flaw was found in the token exchange feature of keycloak. Missing authorization allows a client application holding a valid access token to exchange tokens for any target client by passing the client_id of the target. This could allow a client to gain unauthorized access to additional services. |
Affected by 3 other vulnerabilities. |
|
VCID-ynan-6bh4-cfhq
Aliases: CVE-2023-6291 GHSA-mpwq-j3xf-7m5w |
The redirect_uri validation logic allows for bypassing explicitly allowed hosts that would otherwise be restricted An issue was found in the redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts. The problem arises in the verifyRedirectUri method, which attempts to enforce rules on user-controllable input, but essentially causes a desynchronization in how Keycloak and browsers interpret URLs. Keycloak, for example, receives "[www%2ekeycloak%2eorg%2fapp%2f:y@example.com](https://www%2ekeycloak%2eorg%2fapp%2f:y@example.com/)" and thinks the authority to be keycloak.org when it is actually example.com. This happens because the validation logic is performed on a URL decoded version, which no longer represents the original input. ### Acknowledgements Karel Knibbe |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2025-08-01T11:31:58.252850+00:00 | GitLab Importer | Affected by | VCID-ynan-6bh4-cfhq | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.keycloak/keycloak-saml-core-public/CVE-2023-6291.yml | 37.0.0 |
| 2025-08-01T11:20:47.547409+00:00 | GitLab Importer | Affected by | VCID-65b2-56z7-hfan | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.keycloak/keycloak-saml-core-public/CVE-2022-3916.yml | 37.0.0 |
| 2025-08-01T10:42:00.063305+00:00 | GitLab Importer | Affected by | VCID-g4dm-rd3v-tbcp | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.keycloak/keycloak-saml-core-public/CVE-2022-1245.yml | 37.0.0 |
| 2025-08-01T10:21:10.307020+00:00 | GitLab Importer | Affected by | VCID-c3gj-w7y1-d3dm | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.keycloak/keycloak-saml-core-public/CVE-2022-1466.yml | 37.0.0 |