Search for packages
| purl | pkg:maven/org.keycloak/keycloak-services@12.0.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-17mu-ww7e-aaah
Aliases: CVE-2022-1245 GHSA-75p6-52g3-rqc8 GMS-2022-1039 |
Privilege escalation vulnerability on Token Exchange feature |
Affected by 38 other vulnerabilities. |
|
VCID-1azf-tnm3-pyh3
Aliases: GHSA-fx44-2wx5-5fvp |
Duplicate Advisory: Keycloak vulnerable to two factor authentication bypass |
Affected by 0 other vulnerabilities. |
|
VCID-23ms-gvbw-aaae
Aliases: CVE-2021-3856 GHSA-3w4v-rvc4-2xpw |
CVE-2021-3856 keycloak-services: ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader |
Affected by 43 other vulnerabilities. |
|
VCID-25gj-djgm-aaak
Aliases: CVE-2023-3597 GHSA-4f53-xh3v-g8x4 |
Keycloak secondary factor bypass in step-up authentication |
Affected by 0 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-28mx-tym1-aaaf
Aliases: CVE-2023-6787 GHSA-c9h6-v78w-52wj |
Keycloak vulnerable to session hijacking via re-authentication |
Affected by 0 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-2u3y-y6mn-aaac
Aliases: GHSA-69fp-7c8p-crjr |
Keycloak exposes sensitive information in Pushed Authorization Requests (PAR) A flaw was found in Keycloak in the OAuth 2.0 Pushed Authorization Requests (PAR). Client provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization server's HTTP response to a request_uri authorization request. This could lead to an information disclosure vulnerability. |
Affected by 13 other vulnerabilities. |
|
VCID-4kz1-zbkx-aaaq
Aliases: CVE-2023-6134 GHSA-cvg2-7c3j-g36j |
keycloak: reflected XSS via wildcard in OIDC redirect_uri |
Affected by 31 other vulnerabilities. Affected by 27 other vulnerabilities. |
|
VCID-4zcy-bbkq-aaaf
Aliases: CVE-2021-4133 GHSA-83x4-9cwr-5487 |
Improper Authorization in Keycloak |
Affected by 42 other vulnerabilities. |
|
VCID-5cfb-be25-aaaq
Aliases: GHSA-5968-qw33-h47j |
Duplicate Advisory: Keycloak vulnerable to reflected XSS via wildcard in OIDC redirect_uri |
Affected by 27 other vulnerabilities. |
|
VCID-5hrf-cqc3-b7am
Aliases: GHSA-r934-w73g-v4p8 |
Duplicate Advisory: Keycloak hostname verification |
Affected by 0 other vulnerabilities. |
|
VCID-5skn-shbk-aaaj
Aliases: CVE-2024-2419 GHSA-mrv8-pqfj-7gp5 |
A flaw was found in Keycloak's redirect_uri validation logic. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to the theft of an access token, making it possible for the attacker to impersonate other users. It is very similar to CVE-2023-6291. |
Affected by 0 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-5yyq-kxcg-aaas
Aliases: CVE-2020-27838 GHSA-pcv5-m2wh-66j3 |
Improper Authentication A flaw was found in keycloak The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this vulnerability is to data confidentiality. |
Affected by 45 other vulnerabilities. |
|
VCID-6ga3-jpyg-aaak
Aliases: CVE-2021-3424 GHSA-pf38-cw3p-22q9 |
Keycloak is vulnerable to IDN homograph attack |
Affected by 38 other vulnerabilities. |
|
VCID-6y2h-e36u-aaak
Aliases: CVE-2024-3656 GHSA-2cww-fgmg-4jqc |
Keycloak's admin API allows low privilege users to use administrative functions Users with low privileges (just plain users in the realm) are able to utilize administrative functionalities within Keycloak admin interface. This issue presents a significant security risk as it allows unauthorized users to perform actions reserved for administrators, potentially leading to data breaches or system compromise. **Acknowledgements:** Special thanks to Maurizio Agazzini for reporting this issue and helping us improve our project. |
Affected by 13 other vulnerabilities. |
|
VCID-7qnt-1wwt-aaap
Aliases: CVE-2022-3916 GHSA-97g8-xfvw-q4hg GMS-2022-8406 |
Keycloak vulnerable to session takeover with OIDC offline refreshtokens |
Affected by 38 other vulnerabilities. |
|
VCID-7vmf-dh8n-aaaq
Aliases: GHSA-cq42-vhv7-xr7p |
Keycloak Denial of Service via account lockout In any realm set with "User (Self) registration" a user that is registered with a username in email format can be "locked out" (denied from logging in) using his username. |
Affected by 25 other vulnerabilities. |
|
VCID-bv9z-gxuw-aaas
Aliases: CVE-2022-1274 GHSA-m4fv-gm5m-4725 GMS-2023-528 |
HTML Injection in Keycloak Admin REST API |
Affected by 36 other vulnerabilities. |
|
VCID-caef-7bbm-aaaa
Aliases: CVE-2023-2585 GHSA-f5h4-wmp5-xhg6 |
Client Spoofing within the Keycloak Device Authorisation Grant |
Affected by 31 other vulnerabilities. |
|
VCID-ceef-drz5-cfa8
Aliases: CVE-2024-7341 GHSA-j76j-rqwj-jmvv |
A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 12 other vulnerabilities. Affected by 10 other vulnerabilities. |
|
VCID-dk7y-hky5-kbey
Aliases: GHSA-rq4w-cjrr-h8w8 |
Duplicate Advisory: Keycloak allows Incorrect Assignment of an Organization to a User # Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-gvgg-2r3r-53x7. This link is maintained to preserve external references. # Original Description A flaw was found in the Keycloak organization feature, which allows the incorrect assignment of an organization to a user if their username or email matches the organization’s domain pattern. This issue occurs at the mapper level, leading to misrepresentation in tokens. If an application relies on these claims for authorization, it may incorrectly assume a user belongs to an organization they are not a member of, potentially granting unauthorized access or privileges. |
Affected by 5 other vulnerabilities. |
|
VCID-e51s-1cpw-qufr
Aliases: CVE-2024-10270 GHSA-wq8x-cg39-8mrr |
org.keycloak:keycloak-services: Keycloak Denial of Service |
Affected by 0 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-e7da-njgp-aaak
Aliases: CVE-2023-6484 GHSA-j628-q885-8gr5 |
keycloak: Log Injection during WebAuthn authentication or registration |
Affected by 0 other vulnerabilities. Affected by 26 other vulnerabilities. |
|
VCID-f19m-zv2h-9fgu
Aliases: CVE-2024-8883 GHSA-vvf8-2h68-9475 |
Keycloak: Vulnerable Redirect URI Validation Results in Open Redirec |
Affected by 8 other vulnerabilities. |
|
VCID-fccp-mqrj-aaaj
Aliases: CVE-2020-14302 |
Authentication Bypass by Capture-replay A flaw was found in Keycloak where an external identity provider, after successful authentication, redirects to a Keycloak endpoint that accepts multiple invocations with the use of the same `state` parameter. This flaw allows a malicious user to perform replay attacks. |
Affected by 45 other vulnerabilities. |
|
VCID-fk8g-8kjz-aaah
Aliases: CVE-2020-1725 GHSA-p225-pc2x-4jpm |
Incorrect Authorization in keycloak |
Affected by 45 other vulnerabilities. |
|
VCID-gm3s-z2z6-wuec
Aliases: CVE-2024-4629 GHSA-8wm9-24qg-m5qj GHSA-gc7q-jgjv-vjr2 |
A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems. |
Affected by 1 other vulnerability. Affected by 16 other vulnerabilities. Affected by 1 other vulnerability. Affected by 12 other vulnerabilities. |
|
VCID-gpuj-k3g2-cyga
Aliases: GHSA-j3x3-r585-4qhg |
Duplicate Advisory: org.keycloak:keycloak-services has Inefficient Regular Expression Complexity |
Affected by 0 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-hd63-wdye-aaan
Aliases: GHSA-4vc8-pg5c-vg4x |
Keycloak's improper input validation allows using email as username Keycloak allows the use of email as a username and doesn't check that an account with this email already exists. That could lead to the unability to reset/login with email for the user. This is caused by usernames being evaluated before emails. |
Affected by 24 other vulnerabilities. |
|
VCID-k2pw-c83c-aaaj
Aliases: CVE-2023-6544 GHSA-46c8-635v-68r2 |
Keycloak Authorization Bypass vulnerability |
Affected by 0 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-kfzc-yxas-aaad
Aliases: CVE-2023-6291 GHSA-mpwq-j3xf-7m5w |
The redirect_uri validation logic allows for bypassing explicitly allowed hosts that would otherwise be restricted |
Affected by 31 other vulnerabilities. Affected by 27 other vulnerabilities. |
|
VCID-khbc-26kj-aaad
Aliases: CVE-2021-3632 GHSA-qpq9-jpv4-6gwr |
CVE-2021-3632 keycloak: Anyone can register a new device when there is no device registered for passwordless login |
Affected by 43 other vulnerabilities. |
|
VCID-kwe5-xg4b-aaak
Aliases: CVE-2023-0657 GHSA-7fpj-9hr8-28vh |
Keycloak vulnerable to impersonation via logout token exchange |
Affected by 0 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-kzst-61uh-aaag
Aliases: CVE-2022-2232 GHSA-8hc5-rmgf-qx6p |
Keycloak vulnerable to LDAP Injection on UsernameForm Login |
Affected by 30 other vulnerabilities. |
|
VCID-pgg6-jps5-aaam
Aliases: GHSA-4vrx-8phj-x3mg |
Duplicate Advisory: Keycloak exposes sensitive information in Pushed Authorization Requests (PAR) ## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-69fp-7c8p-crjr. This link is maintained to preserve external references. ## Original Description A flaw was found in Keycloak in OAuth 2.0 Pushed Authorization Requests (PAR). Client-provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization server's HTTP response to a `request_uri` authorization request, possibly leading to an information disclosure vulnerability. |
Affected by 13 other vulnerabilities. |
|
VCID-q6aw-6g78-aaac
Aliases: CVE-2022-4361 GHSA-3p62-6fjh-3p5h |
Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the SAML or OIDC providers. The vulnerability can allow an attacker to execute malicious scripts by setting the AssertionConsumerServiceURL value or the redirect_uri. |
Affected by 31 other vulnerabilities. |
|
VCID-q8mt-excf-aaaa
Aliases: CVE-2021-3513 GHSA-xv7h-95r7-595j |
CVE-2021-3513 keycloak: Brute force attack is possible even after the account lockout |
Affected by 45 other vulnerabilities. |
|
VCID-q9y4-889z-aaaa
Aliases: CVE-2020-10770 GHSA-jh7q-5mwf-qvhw |
Server-Side Request Forgery (SSRF) A flaw was found in Keycloak, where it is possible to force the server to call out an unverified URL using the `OIDC` parameter `request_uri`. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack. |
Affected by 51 other vulnerabilities. |
|
VCID-rfye-2s3j-aaaf
Aliases: CVE-2021-20222 GHSA-2mq8-99q7-55wx |
Code injection in keycloak |
Affected by 45 other vulnerabilities. |
|
VCID-scqu-xf9x-3kff
Aliases: GHSA-w8gr-xwp4-r9f7 |
Vulnerable Redirect URI Validation Results in Open Redirect |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 8 other vulnerabilities. |
|
VCID-sneg-t9mh-aaae
Aliases: CVE-2023-2422 GHSA-3qh5-qqj2-c78f |
Keycloak vulnerable to Improper Client Certificate Validation for OAuth/OpenID clients |
Affected by 31 other vulnerabilities. |
|
VCID-sta4-3tue-aaac
Aliases: CVE-2021-20323 GHSA-xpgc-j48j-jwv9 |
Cross-site Scripting in Keycloak |
Affected by 41 other vulnerabilities. |
|
VCID-ubt4-nmw3-aaap
Aliases: CVE-2024-1132 GHSA-72vp-xfrc-42xm |
A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field, and requires user interaction within the malicious URL. |
Affected by 0 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-ur9z-vd6r-9qcj
Aliases: CVE-2025-2559 GHSA-2935-2wfm-hhpv |
org.keycloak/keycloak-services: JWT Token Cache Exhaustion Leading to Denial of Service (DoS) in Keycloak |
Affected by 4 other vulnerabilities. |
|
VCID-w71m-tyt8-dqby
Aliases: CVE-2025-3501 GHSA-hw58-3793-42gg |
A flaw was found in Keycloak. By setting a verification policy to 'ALL', the trust store certificate verification is skipped, which is unintended. |
Affected by 0 other vulnerabilities. |
|
VCID-wbw4-mn7z-6yey
Aliases: GHSA-5rxp-2rhr-qwqv |
Session fixation in Elytron SAML adapters |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 10 other vulnerabilities. |
|
VCID-weqk-utdn-aaaj
Aliases: GHSA-mwm4-5qwr-g9pf GMS-2022-1099 |
Keycloak is vulnerable to IDN homograph attack |
Affected by 38 other vulnerabilities. |
|
VCID-x48r-a8cq-aaad
Aliases: CVE-2023-0264 GHSA-9g98-5mj6-f9mv GMS-2023-573 |
Keycloak vulnerable to user impersonation via stolen UUID code |
Affected by 38 other vulnerabilities. Affected by 34 other vulnerabilities. |
|
VCID-ydp2-dstr-aaas
Aliases: CVE-2021-20202 GHSA-6xp6-fmc8-pmmr |
Temporary Directory Hijacking Vulnerability in Keycloak |
Affected by 45 other vulnerabilities. |
|
VCID-yej1-gv6v-aaaa
Aliases: CVE-2024-1249 GHSA-m6q9-p373-g5q8 |
A flaw was found in Keycloak's OIDC component in the "checkLoginIframe," which allows unvalidated cross-origin messages. This flaw allows attackers to coordinate and send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin validation for incoming messages. |
Affected by 0 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-yj6d-cyq5-aaaj
Aliases: CVE-2023-6717 GHSA-8rmm-gm28-pj8q |
Keycloak Cross-site Scripting (XSS) via assertion consumer service URL in SAML POST-binding flow |
Affected by 0 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-ze83-qhsk-67bh
Aliases: CVE-2025-3910 GHSA-5jfq-x6xp-7rw2 |
A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumventing required actions, allowing users to circumvent requirements such as setting up two-factor authentication. |
Affected by 0 other vulnerabilities. |
|
VCID-zj26-g915-aaap
Aliases: CVE-2022-1438 GHSA-w354-2f3c-qvg9 GMS-2023-529 |
Keycloak vulnerable to Cross-site Scripting |
Affected by 34 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-j9x9-5u7p-aaaj | Missing authentication for critical function |
CVE-2021-20262
GHSA-xf46-8vvp-4hxx |