Search for packages
| purl | pkg:maven/org.keycloak/keycloak-services@1.0-beta-1-20150523 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1rp9-hqyn-vqh8
Aliases: CVE-2025-3910 GHSA-5jfq-x6xp-7rw2 |
Keycloak vulnerable to two factor authentication bypass # Description A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumventing required actions, allowing users to circumvent requirements such as setting up two-factor authentication. |
Affected by 1 other vulnerability. |
|
VCID-2a26-fge4-k3b3
Aliases: CVE-2014-3709 GHSA-xr6q-qqx7-553g |
JBoss Keycloak CSRF Vulnerability The `org.keycloak.services.resources.SocialResource.callback` method in JBoss KeyCloak before 1.0.3.Final allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging lack of CSRF protection. |
Affected by 58 other vulnerabilities. |
|
VCID-2n4m-jnmy-cfcy
Aliases: CVE-2023-0264 GHSA-9g98-5mj6-f9mv GMS-2023-573 |
Keycloak vulnerable to user impersonation via stolen UUID code Keycloak's OpenID Connect user authentication was found to incorrectly authenticate requests. An authenticated attacker who could also obtain a certain piece of info from a user request, from a victim within the same realm, could use that data to impersonate the victim and generate new session tokens. |
Affected by 36 other vulnerabilities. Affected by 34 other vulnerabilities. |
|
VCID-31gq-x8za-3bdz
Aliases: CVE-2020-1725 GHSA-p225-pc2x-4jpm |
Incorrect Authorization in keycloak A flaw was found in keycloak before version 13.0.0. In some scenarios a user still has access to a resource after changing the role mappings in Keycloak and after expiration of the previous access token. |
Affected by 44 other vulnerabilities. |
|
VCID-3dnq-gcve-ufc6
Aliases: CVE-2020-10770 GHSA-jh7q-5mwf-qvhw |
Keycloak vulnerable to Server-Side Request Forgery A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter `request_uri`. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack. |
Affected by 50 other vulnerabilities. |
|
VCID-5563-6emh-17c9
Aliases: CVE-2023-2585 GHSA-f5h4-wmp5-xhg6 |
Client Spoofing within the Keycloak Device Authorisation Grant Under certain pre-conditions the vulnerability allows an attacker to spoof parts of the device flow and use a device_code to retrieve an access token for other OAuth clients. |
Affected by 31 other vulnerabilities. |
|
VCID-5s6v-un5w-qyg4
Aliases: GHSA-gj52-35xm-gxjh |
Duplicate Advisory: Keycloak phishing attack via email verification step in first login flow ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-xhpr-465j-7p9q. This link is maintained to preserve external references. ### Original Description A flaw was found in Keycloak. When an authenticated attacker attempts to merge accounts with another existing account during an identity provider (IdP) login, the attacker will subsequently be prompted to "review profile" information. This vulnerability allows the attacker to modify their email address to match that of a victim's account, triggering a verification email sent to the victim's email address. The attacker's email address is not present in the verification email content, making it a potential phishing opportunity. If the victim clicks the verification link, the attacker can gain access to the victim's account. |
Affected by 0 other vulnerabilities. |
|
VCID-5uqt-n7a5-kqdt
Aliases: CVE-2023-6484 GHSA-j628-q885-8gr5 |
Keycloak vulnerable to log Injection during WebAuthn authentication or registration A flaw was found in keycloak 22.0.5. Errors in browser client during setup/auth with "Security Key login" (WebAuthn) are written into the form, send to Keycloak and logged without escaping allowing log injection. Acknowledgements: Special thanks toTheresa Henze for reporting this issue and helping us improve our security. |
Affected by 0 other vulnerabilities. Affected by 27 other vulnerabilities. |
|
VCID-65b2-56z7-hfan
Aliases: CVE-2022-3916 GHSA-97g8-xfvw-q4hg GMS-2022-8406 |
Keycloak vulnerable to session takeover with OIDC offline refreshtokens An issue was discovered in Keycloak when using a client with the `offline_access` scope. Reuse of session ids across root and user authentication sessions and a lack of root session validation enabled attackers to resolve a user session attached to a different previously authenticated user. This issue most affects users of shared computers. Suppose a user logs out of their account (without clearing their cookies) in a mobile app or similar client that includes the `offline_access` scope, and another user authenticates to the application. In that case, it will share the same root session id, and when utilizing the refresh token, they will be issued a token for the original user. |
Affected by 36 other vulnerabilities. |
|
VCID-67wr-x944-37g9
Aliases: CVE-2023-0657 GHSA-7fpj-9hr8-28vh |
Keycloak vulnerable to impersonation via logout token exchange Keycloak was found to not properly enforce token types when validating signatures locally. An authenticated attacker could use this flaw to exchange a logout token for an access token and possibly gain access to data outside of enforced permissions. |
Affected by 0 other vulnerabilities. Affected by 17 other vulnerabilities. |
|
VCID-6fd9-kenc-8fhc
Aliases: CVE-2020-10776 GHSA-484q-784p-8m5h |
Cross-site Scripting in keycloak A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack. |
Affected by 52 other vulnerabilities. |
|
VCID-6s7u-6b3m-3kfn
Aliases: CVE-2021-20323 GHSA-xpgc-j48j-jwv9 |
Cross-site Scripting in Keycloak A POST based reflected Cross Site Scripting vulnerability on has been identified in Keycloak version 15. The issue was fixed in version 17.0.0. |
Affected by 40 other vulnerabilities. |
|
VCID-7363-ze97-87et
Aliases: CVE-2025-2559 GHSA-2935-2wfm-hhpv |
Keycloak Denial of Service (DoS) Vulnerability via JWT Token Cache A flaw was found in Keycloak. When the configuration uses JWT tokens for authentication, the tokens are cached until expiration. If a client uses JWT tokens with an excessively long expiration time, for example, 24 or 48 hours, the cache can grow indefinitely, leading to an OutOfMemoryError. This issue could result in a denial of service condition, preventing legitimate users from accessing the system. |
Affected by 5 other vulnerabilities. |
|
VCID-7t4n-1rts-g7cx
Aliases: CVE-2023-6134 GHSA-cvg2-7c3j-g36j |
Keycloak vulnerable to reflected XSS via wildcard in OIDC redirect_uri Keycloak prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This could permit an attacker to submit a specially crafted request leading to XSS or possibly further attacks. |
Affected by 30 other vulnerabilities. Affected by 28 other vulnerabilities. |
|
VCID-7wwd-mrdx-mub6
Aliases: CVE-2024-2419 GHSA-mrv8-pqfj-7gp5 |
Keycloak path traversal vulnerability in the redirect validation An issue was found in the redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts. |
Affected by 0 other vulnerabilities. Affected by 17 other vulnerabilities. |
|
VCID-8etu-sejz-kkdy
Aliases: CVE-2023-6544 GHSA-46c8-635v-68r2 |
Keycloak Authorization Bypass vulnerability Due to a permissive regular expression hardcoded for filtering allowed hosts to register a dynamic client, a malicious user with enough information about the environment could benefit and jeopardize an environment with this specific Dynamic Client Registration with TrustedDomain configuration previously unauthorized. #### Acknowledgements: Special thanks to Bastian Kanbach for reporting this issue and helping us improve our security. |
Affected by 0 other vulnerabilities. Affected by 17 other vulnerabilities. |
|
VCID-8k4c-w1dp-87du
Aliases: CVE-2021-3632 GHSA-qpq9-jpv4-6gwr |
Keycloak allows anyone to register new security device or key for any user by using WebAuthn password-less login flow A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow. |
Affected by 42 other vulnerabilities. |
|
VCID-921n-kkxc-gyav
Aliases: GHSA-fx44-2wx5-5fvp |
Duplicate Advisory: Keycloak vulnerable to two factor authentication bypass # Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-5jfq-x6xp-7rw2. This link is maintained to preserve external references. # Original Description A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumventing required actions, allowing users to circumvent requirements such as setting up two-factor authentication. |
Affected by 1 other vulnerability. |
|
VCID-929e-njv7-mycr
Aliases: CVE-2020-14366 GHSA-cp67-8w3w-6h9c |
Path Traversal A vulnerability was found in keycloak, where path traversal using URL-encoded path segments in the request is possible because the resources endpoint applies a transformation of the url path to the file path. Only few specific folder hierarchies can be exposed by this flaw |
Affected by 52 other vulnerabilities. |
|
VCID-9mrp-8k8r-dkcf
Aliases: CVE-2021-3856 GHSA-3w4v-rvc4-2xpw |
Keycloak has Files or Directories Accessible to External Parties ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader. By sending requests for theme resources with a relative path from an external HTTP client, the client will receive the content of random files if available. |
Affected by 42 other vulnerabilities. |
|
VCID-aqh7-9deh-1ue9
Aliases: CVE-2023-6717 GHSA-8rmm-gm28-pj8q |
Keycloak Cross-site Scripting (XSS) via assertion consumer service URL in SAML POST-binding flow Keycloak allows arbitrary URLs as SAML Assertion Consumer Service POST Binding URL (ACS), including JavaScript URIs (javascript:). Allowing JavaScript URIs in combination with HTML forms leads to JavaScript evaluation in the context of the embedding origin on form submission. #### Acknowledgements: Special thanks to Lauritz Holtmann for reporting this issue and helping us improve our project. |
Affected by 0 other vulnerabilities. Affected by 17 other vulnerabilities. |
|
VCID-arz8-9ngd-2yce
Aliases: CVE-2018-10894 GHSA-xvv8-8wh9-9fh2 |
Keycloak Authentication Error It was found that SAML authentication in Keycloak 3.4.3.Final incorrectly authenticated expired certificates. A malicious user could use this to access unauthorized data or possibly conduct further attacks. |
Affected by 56 other vulnerabilities. |
|
VCID-az5g-yu3m-g3c1
Aliases: CVE-2024-8883 GHSA-w8gr-xwp4-r9f7 |
Keycloak has Vulnerable Redirect URI Validation Results in Open Redirect A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost/ or http://127.0.0.1/, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-b6mp-jcq2-uqbv
Aliases: CVE-2021-20202 GHSA-6xp6-fmc8-pmmr |
Temporary Directory Hijacking Vulnerability in Keycloak A flaw was found in keycloak. Directories can be created prior to the Java process creating them in the temporary directory, but with wider user permissions, allowing the attacker to have access to the contents that keycloak stores in this directory. The highest threat from this vulnerability is to data confidentiality and integrity. |
Affected by 44 other vulnerabilities. |
|
VCID-bnfj-v32k-gkc9
Aliases: CVE-2022-2232 GHSA-8hc5-rmgf-qx6p |
Keycloak vulnerable to LDAP Injection on UsernameForm Login A flaw was found in the Keycloak package. This flaw allows an attacker to benefit from an LDAP query and access existing usernames in the server. |
Affected by 28 other vulnerabilities. |
|
VCID-c7hg-36fr-7ffe
Aliases: CVE-2025-3501 GHSA-hw58-3793-42gg |
Keycloak hostname verification A flaw was found in Keycloak. By setting a verification policy to 'ANY', the trust store certificate verification is skipped, which is unintended. |
Affected by 1 other vulnerability. |
|
VCID-cxc7-ub9z-tqgt
Aliases: GHSA-rq4w-cjrr-h8w8 |
Duplicate Advisory: Keycloak allows Incorrect Assignment of an Organization to a User # Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-gvgg-2r3r-53x7. This link is maintained to preserve external references. # Original Description A flaw was found in the Keycloak organization feature, which allows the incorrect assignment of an organization to a user if their username or email matches the organization’s domain pattern. This issue occurs at the mapper level, leading to misrepresentation in tokens. If an application relies on these claims for authorization, it may incorrectly assume a user belongs to an organization they are not a member of, potentially granting unauthorized access or privileges. |
Affected by 6 other vulnerabilities. |
|
VCID-d65g-gade-ckd5
Aliases: CVE-2021-3754 GHSA-4vc8-pg5c-vg4x |
Keycloak's improper input validation allows using email as username Keycloak allows the use of email as a username and doesn't check that an account with this email already exists. That could lead to the unability to reset/login with email for the user. This is caused by usernames being evaluated before emails. |
Affected by 25 other vulnerabilities. |
|
VCID-e3ff-n9zd-u7fm
Aliases: CVE-2020-1724 GHSA-8xj2-47xw-q78c |
Keycloak Insufficient Session Expiry A flaw was found in Keycloak in versions before 9.0.2. This flaw allows a malicious user that is currently logged in, to see the personal information of a previously logged out user in the account manager section. |
Affected by 54 other vulnerabilities. |
|
VCID-f7ys-kjgb-nyg5
Aliases: CVE-2020-1758 GHSA-c597-f74m-jgc2 |
Improper Certificate Validation and Improper Validation of Certificate with Host Mismatch in Keycloak A flaw was found in Keycloak in versions before 10.0.0, where it does not perform the TLS hostname verification while sending emails using the SMTP server. This flaw allows an attacker to perform a man-in-the-middle (MITM) attack. |
Affected by 53 other vulnerabilities. |
|
VCID-g4dm-rd3v-tbcp
Aliases: CVE-2022-1245 GHSA-75p6-52g3-rqc8 GMS-2022-1039 |
Keycloak vulnerable to privilege escalation on Token Exchange feature A privilege escalation flaw was found in the token exchange feature of keycloak. Missing authorization allows a client application holding a valid access token to exchange tokens for any target client by passing the client_id of the target. This could allow a client to gain unauthorized access to additional services. |
Affected by 37 other vulnerabilities. |
|
VCID-g8vq-taau-q7cj
Aliases: CVE-2022-4361 GHSA-3p62-6fjh-3p5h |
Keycloak vulnerable to cross-site scripting when validating URI-schemes on SAML and OIDC AssertionConsumerServiceURL is a Java implementation for SAML Service Providers (org.keycloak.protocol.saml). Affected versions of this package are vulnerable to Cross-site Scripting (XSS). AssertionConsumerServiceURL allows XSS when sending a crafted SAML XML request. |
Affected by 31 other vulnerabilities. |
|
VCID-gyrk-cxkp-uyh8
Aliases: CVE-2021-3513 GHSA-xv7h-95r7-595j |
Incorrect implementation of lockout feature in Keycloak A flaw was found in keycloak where a brute force attack is possible even when the permanent lockout feature is enabled. This is due to a wrong error message displayed when wrong credentials are entered. The highest threat from this vulnerability is to confidentiality. |
Affected by 44 other vulnerabilities. |
|
VCID-hg9y-2gqq-uufd
Aliases: CVE-2024-3656 GHSA-2cww-fgmg-4jqc |
Keycloak's admin API allows low privilege users to use administrative functions Users with low privileges (just plain users in the realm) are able to utilize administrative functionalities within Keycloak admin interface. This issue presents a significant security risk as it allows unauthorized users to perform actions reserved for administrators, potentially leading to data breaches or system compromise. **Acknowledgements:** Special thanks to Maurizio Agazzini for reporting this issue and helping us improve our project. |
Affected by 13 other vulnerabilities. |
|
VCID-hnzg-a2s4-xqg3
Aliases: CVE-2024-1722 GHSA-cq42-vhv7-xr7p |
Keycloak Denial of Service via account lockout In any realm set with "User (Self) registration" a user that is registered with a username in email format can be "locked out" (denied from logging in) using his username. |
Affected by 26 other vulnerabilities. |
|
VCID-k2e6-tjga-h7ch
Aliases: GHSA-4vrx-8phj-x3mg |
Duplicate Advisory: Keycloak exposes sensitive information in Pushed Authorization Requests (PAR) ## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-69fp-7c8p-crjr. This link is maintained to preserve external references. ## Original Description A flaw was found in Keycloak in OAuth 2.0 Pushed Authorization Requests (PAR). Client-provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization server's HTTP response to a `request_uri` authorization request, possibly leading to an information disclosure vulnerability. |
Affected by 13 other vulnerabilities. |
|
VCID-kpgc-cmf5-mqcj
Aliases: GHSA-j3x3-r585-4qhg |
Duplicate Advisory: org.keycloak:keycloak-services has Inefficient Regular Expression Complexity ## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-wq8x-cg39-8mrr. This link is maintained to preserve external references. ## Original Description A vulnerability was found in the Keycloak-services package. If untrusted data is passed to the SearchQueryUtils method, it could lead to a denial of service (DoS) scenario by exhausting system resources due to a Regex complexity. |
Affected by 0 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-m2sg-bxzt-d3g7
Aliases: CVE-2020-1744 GHSA-4gf2-xv97-63m2 |
Exposure of Sensitive Information in keycloak A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle this events. |
Affected by 54 other vulnerabilities. |
|
VCID-m9nn-mnr2-2qbq
Aliases: CVE-2020-27838 GHSA-pcv5-m2wh-66j3 |
Keycloak discloses information without authentication A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this vulnerability is to data confidentiality. |
Affected by 44 other vulnerabilities. |
|
VCID-mfyr-sbkc-5uc3
Aliases: GHSA-8wm9-24qg-m5qj |
Duplicate Advisory: Keycloak has a brute force login protection bypass ## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-gc7q-jgjv-vjr2. This link is maintained to preserve external references. ## Original Description A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems. |
Affected by 16 other vulnerabilities. |
|
VCID-nhey-k3qb-rubf
Aliases: CVE-2021-3424 GHSA-pf38-cw3p-22q9 |
Keycloak is vulnerable to IDN homograph attack A flaw was found in keycloak as shipped in Red Hat Single Sign-On 7.4 where IDN homograph attacks are possible. A malicious user can register himself with a name already registered and trick admin to grant him extra privileges. |
Affected by 37 other vulnerabilities. |
|
VCID-pnd6-k66h-mubw
Aliases: CVE-2014-3652 GHSA-5r7w-pjx8-99qg |
JBoss KeyCloak Open Redirect JBoss KeyCloak: Open redirect vulnerability via failure to validate the redirect URL. |
Affected by 57 other vulnerabilities. |
|
VCID-qvgh-18f2-xbcw
Aliases: CVE-2024-1132 GHSA-72vp-xfrc-42xm |
Keycloak path traversal vulnerability in redirection validation A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain or possibly conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field. #### Acknowledgements: Special thanks to Axel Flamcourt for reporting this issue and helping us improve our project. |
Affected by 0 other vulnerabilities. Affected by 17 other vulnerabilities. |
|
VCID-r6sd-68sa-33e5
Aliases: CVE-2020-1727 |
A vulnerability was found in Keycloak before 9.0.2, where every Authorization URL that points to an IDP server lacks proper input validation as it allows a wide range of characters. This flaw allows a malicious to craft deep links that introduce further attack scenarios on affected clients. |
Affected by 54 other vulnerabilities. |
|
VCID-smva-uwpy-bud2
Aliases: CVE-2024-4629 GHSA-gc7q-jgjv-vjr2 |
Keycloak Services has a potential bypass of brute force protection If an attacker launches many login attempts in parallel then the attacker can have more guesses at a password than the brute force protection configuration permits. This is due to the brute force check occurring before the brute force protector has locked the user. **Acknowledgements:** Special thanks to Maurizio Agazzini for reporting this issue and helping us improve our project. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 12 other vulnerabilities. |
|
VCID-snx9-ez2a-ffep
Aliases: CVE-2023-3597 GHSA-4f53-xh3v-g8x4 |
Keycloak secondary factor bypass in step-up authentication Keycloak does not correctly validate its client step-up authentication. A password-authed attacker could use this flaw to register a false second auth factor, alongside the existing one, to a targeted account. The second factor then permits step-up authentication. |
Affected by 0 other vulnerabilities. Affected by 17 other vulnerabilities. |
|
VCID-tawq-333x-b3e2
Aliases: CVE-2024-7341 GHSA-5rxp-2rhr-qwqv |
Keycloak has session fixation in Elytron SAML adapters A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 11 other vulnerabilities. |
|
VCID-tuhm-hk75-q7a3
Aliases: CVE-2024-10270 GHSA-wq8x-cg39-8mrr |
org.keycloak:keycloak-services has Inefficient Regular Expression Complexity A vulnerability was found in the Keycloak-services package. If untrusted data is passed to the SearchQueryUtils method, it could lead to a denial of service (DoS) scenario by exhausting system resources due to a Regex complexity. |
Affected by 0 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-ukmt-zg1j-97fq
Aliases: CVE-2022-1274 GHSA-m4fv-gm5m-4725 GMS-2023-528 |
HTML Injection in Keycloak Admin REST API The `execute-actions-email` endpoint of the Keycloak Admin REST API allows a malicious actor to send emails containing phishing links to Keycloak users. |
Affected by 34 other vulnerabilities. |
|
VCID-v5pm-xqua-47a2
Aliases: CVE-2024-4540 GHSA-69fp-7c8p-crjr |
Keycloak exposes sensitive information in Pushed Authorization Requests (PAR) A flaw was found in Keycloak in the OAuth 2.0 Pushed Authorization Requests (PAR). Client provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization server's HTTP response to a request_uri authorization request. This could lead to an information disclosure vulnerability. |
Affected by 13 other vulnerabilities. |
|
VCID-wcs9-zm87-6ub2
Aliases: GHSA-mwm4-5qwr-g9pf GMS-2022-1099 |
Keycloak is vulnerable to IDN homograph attack A flaw was found in keycloak, where IDN homograph attacks are possible. This flaw allows a malicious user to register a name that already exists and then tricking an admin to grant extra privileges. The highest threat from this vulnerability is to integrity. |
Affected by 37 other vulnerabilities. |
|
VCID-wngh-3b7z-aue7
Aliases: GHSA-vvf8-2h68-9475 |
Duplicate Advisory: Keycloak Open Redirect vulnerability # Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-w8gr-xwp4-r9f7. This link is maintained to preserve external references. # Original Description A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking. |
Affected by 9 other vulnerabilities. |
|
VCID-x37n-chds-gkef
Aliases: CVE-2024-1249 GHSA-m6q9-p373-g5q8 |
Keycloak's unvalidated cross-origin messages in checkLoginIframe leads to DDoS A potential security flaw in the "checkLoginIframe" which allows unvalidated cross-origin messages, enabling potential DDoS attacks. By exploiting this vulnerability, attackers could coordinate to send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin validation for incoming messages. #### Acknowledgements Special thanks to Adriano Márcio Monteiro from BRZTEC for reporting this issue and helping us improve our project. |
Affected by 0 other vulnerabilities. Affected by 17 other vulnerabilities. |
|
VCID-xamp-qeqk-3qc1
Aliases: CVE-2020-14302 |
keycloak: reusable "state" parameter at redirect_uri endpoint enables possibility of replay attacks |
Affected by 44 other vulnerabilities. |
|
VCID-xc4v-p9kg-tbb9
Aliases: CVE-2014-3655 GHSA-237q-6hjp-pchq |
JBoss KeyCloak is vulnerable to soft token deletion via CSRF. This issue is fixed in Keycloak 1.0.2.Final. |
Affected by 59 other vulnerabilities. |
|
VCID-xjby-9929-kyed
Aliases: CVE-2020-14389 GHSA-c9x9-xv66-xp3v |
Improper privilege management in Keycloak A flaw was found in Keycloak, where it would permit a user with a view-profile role to manage the resources in the new account console. This flaw allows a user with a view-profile role to access and modify data for which the user does not have adequate permission. |
Affected by 52 other vulnerabilities. |
|
VCID-xzss-xmpe-jfcg
Aliases: CVE-2023-2422 GHSA-3qh5-qqj2-c78f |
Keycloak vulnerable to Improper Client Certificate Validation for OAuth/OpenID clients When a Keycloak server is configured to support mTLS authentication for OAuth/OpenID clients, it does not properly verify the client certificate chain. A client that possesses a proper certificate can authorize itself as any other client and therefore access data that belongs to other clients. |
Affected by 31 other vulnerabilities. |
|
VCID-ydys-b2yz-rbgv
Aliases: GHSA-r934-w73g-v4p8 |
Duplicate Advisory: Keycloak hostname verification # Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-hw58-3793-42gg. This link is maintained to preserve external references. # Original Description A flaw was found in Keycloak. By setting a verification policy to 'ALL', the trust store certificate verification is skipped, which is unintended. |
Affected by 1 other vulnerability. |
|
VCID-ynan-6bh4-cfhq
Aliases: CVE-2023-6291 GHSA-mpwq-j3xf-7m5w |
The redirect_uri validation logic allows for bypassing explicitly allowed hosts that would otherwise be restricted An issue was found in the redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts. The problem arises in the verifyRedirectUri method, which attempts to enforce rules on user-controllable input, but essentially causes a desynchronization in how Keycloak and browsers interpret URLs. Keycloak, for example, receives "[www%2ekeycloak%2eorg%2fapp%2f:y@example.com](https://www%2ekeycloak%2eorg%2fapp%2f:y@example.com/)" and thinks the authority to be keycloak.org when it is actually example.com. This happens because the validation logic is performed on a URL decoded version, which no longer represents the original input. ### Acknowledgements Karel Knibbe |
Affected by 30 other vulnerabilities. Affected by 28 other vulnerabilities. |
|
VCID-zjxg-8sgz-7ye4
Aliases: CVE-2023-6787 GHSA-c9h6-v78w-52wj |
Keycloak vulnerable to session hijacking via re-authentication A flaw was found in Keycloak. An active keycloak session can be hijacked by initiating a new authentication (having the query parameter prompt=login) and forcing the user to enter his credentials once again. If the user cancels this re-authentication by clicking Restart login, the account takeover could take place as the new session, with a different SUB, will have the same SID as the previous session. |
Affected by 0 other vulnerabilities. Affected by 17 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||