Search for packages
| purl | pkg:npm/keycloak-connect@3.2.0-cr.1 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1hec-prs3-93ae
Aliases: CVE-2019-10170 GHSA-7m27-3587-83xf |
Privilege Defined With Unsafe Actions in Keycloak A flaw was found in the Keycloak admin console, where the realm management interface permits a script to be set via the policy. This flaw allows an attacker with authenticated user and realm management permissions to configure a malicious script to trigger and execute arbitrary code with the permissions of the application user. |
Affected by 21 other vulnerabilities. |
|
VCID-25s7-ksww-6qa2
Aliases: CVE-2019-3868 GHSA-gc52-xj6p-9pxp |
Exposure of Sensitive Information to an Unauthorized Actor in Keycloak Keycloak up to version 6.0.0 allows the end user token (access or id token JWT) to be used as the session cookie for browser sessions for OIDC. As a result an attacker with access to service provider backend could hijack user?s browser session. |
Affected by 29 other vulnerabilities. |
|
VCID-2rs5-mk86-tuhn
Aliases: CVE-2019-14832 GHSA-8prc-58j4-m55q |
Keycloak Unauthenticated Access A flaw was found in the Keycloak REST API before version 8.0.0, implemented in Keycloak before 7.0.1 where it would permit user access from a realm the user was not configured. An authenticated attacker with knowledge of a user id could use this flaw to access unauthorized information or to carry out further attacks. |
Affected by 21 other vulnerabilities. |
|
VCID-597y-4t7f-87bw
Aliases: CVE-2019-10169 GHSA-9c24-43p5-fv82 |
Keycloak code execution via UMA policy abuse A flaw was found in Keycloak’s user-managed access interface, where it would permit a script to be set in the UMA policy. This flaw allows an authenticated attacker with UMA permissions to configure a malicious script to trigger and execute arbitrary code with the permissions of the user running application. |
Affected by 21 other vulnerabilities. |
|
VCID-5uxe-q2b4-ryed
Aliases: CVE-2019-10157 GHSA-68hw-vfh7-xvg8 |
Forced Logout in keycloak-connect Versions of `keycloak-connect` prior to 4.4.0 are vulnerable to Forced Logout. The package fails to validate JWT signatures on the `/k_logout` route, allowing attackers to logout users and craft malicious JWTs with NBF values that prevent user access indefinitely. ## Recommendation Upgrade to version 4.4.0 or later. |
Affected by 30 other vulnerabilities. |
|
VCID-65b2-56z7-hfan
Aliases: CVE-2022-3916 GHSA-97g8-xfvw-q4hg GMS-2022-8406 |
Keycloak vulnerable to session takeover with OIDC offline refreshtokens An issue was discovered in Keycloak when using a client with the `offline_access` scope. Reuse of session ids across root and user authentication sessions and a lack of root session validation enabled attackers to resolve a user session attached to a different previously authenticated user. This issue most affects users of shared computers. Suppose a user logs out of their account (without clearing their cookies) in a mobile app or similar client that includes the `offline_access` scope, and another user authenticates to the application. In that case, it will share the same root session id, and when utilizing the refresh token, they will be issued a token for the original user. |
Affected by 7 other vulnerabilities. |
|
VCID-675z-39ka-s3as
Aliases: CVE-2020-1697 GHSA-8vf3-4w62-m3pq |
XSS in Keycloak It was found in all keycloak versions before 9.0.0 that links to external applications (Application Links) in the admin console are not validated properly and could allow Stored XSS attacks. An authed malicious user could create URLs to trick users in other realms, and possibly conduct further attacks. |
Affected by 21 other vulnerabilities. |
|
VCID-6fd9-kenc-8fhc
Aliases: CVE-2020-10776 GHSA-484q-784p-8m5h |
Cross-site Scripting in keycloak A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack. |
Affected by 15 other vulnerabilities. |
|
VCID-7t4n-1rts-g7cx
Aliases: CVE-2023-6134 GHSA-cvg2-7c3j-g36j |
Keycloak vulnerable to reflected XSS via wildcard in OIDC redirect_uri Keycloak prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This could permit an attacker to submit a specially crafted request leading to XSS or possibly further attacks. |
Affected by 1 other vulnerability. |
|
VCID-919t-yfm6-dydu
Aliases: CVE-2023-0091 GHSA-v436-q368-hvgg GMS-2023-37 |
Keycloak has lack of validation of access token on client registrations endpoint When a service account with the create-client or manage-clients role can use the client-registration endpoints to create/manage clients with an access token. If the access token is leaked, there is an option to revoke the specific token. However, the check is not performed in client-registration endpoints. | There are no reported fixed by versions. |
|
VCID-9vph-vtgn-7yhs
Aliases: CVE-2023-0105 GHSA-c7xw-p58w-h6fj |
Keycloak: Impersonation and lockout possible through incorrect handling of email trust Impersonation and lockout are possible due to email trust not being handled correctly in Keycloak. Since the verified state is not reset when the email changes, it is possible for users to shadow others with the same email and lock out or impersonate them. | There are no reported fixed by versions. |
|
VCID-b6mp-jcq2-uqbv
Aliases: CVE-2021-20202 GHSA-6xp6-fmc8-pmmr |
Temporary Directory Hijacking Vulnerability in Keycloak A flaw was found in keycloak. Directories can be created prior to the Java process creating them in the temporary directory, but with wider user permissions, allowing the attacker to have access to the contents that keycloak stores in this directory. The highest threat from this vulnerability is to data confidentiality and integrity. |
Affected by 10 other vulnerabilities. |
|
VCID-c3gj-w7y1-d3dm
Aliases: CVE-2022-1466 GHSA-f32v-vf79-p29q |
Improper authorization in Keycloak Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted. |
Affected by 9 other vulnerabilities. |
|
VCID-cnju-ee9e-d3c1
Aliases: CVE-2019-10201 GHSA-4fgq-gq9g-3rw7 |
Improper Verification of Cryptographic Signature in keycloak It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. If an attacker modifies the SAML Response and removes the <Signature> sections, the message is still accepted, and the message can be modified. An attacker could use this flaw to impersonate other users and gain access to sensitive information. |
Affected by 28 other vulnerabilities. |
|
VCID-cp6h-pgxj-4fck
Aliases: CVE-2019-14820 GHSA-xfqh-7356-vqjj |
Exposure of Sensitive Information to an Unauthorized Actor in Keycloak It was found that keycloak before version 8.0.0 exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be invoked via a specially-crafted URL. This vulnerability could allow an attacker to access unauthorized information. |
Affected by 21 other vulnerabilities. |
|
VCID-e3ff-n9zd-u7fm
Aliases: CVE-2020-1724 GHSA-8xj2-47xw-q78c |
Keycloak Insufficient Session Expiry A flaw was found in Keycloak in versions before 9.0.2. This flaw allows a malicious user that is currently logged in, to see the personal information of a previously logged out user in the account manager section. |
Affected by 18 other vulnerabilities. |
|
VCID-e8vg-dt2k-a3f1
Aliases: CVE-2018-14637 GHSA-gf2j-7qwg-4f5x |
The SAML broker consumer endpoint in Keycloak before version 4.6.0.Final ignores expiration conditions on SAML assertions. An attacker can exploit this vulnerability to perform a replay attack. |
Affected by 31 other vulnerabilities. |
|
VCID-ecgn-akb2-2bhh
Aliases: CVE-2020-1694 GHSA-72j4-94rx-cr6w |
Incorrect Permission Assignment for Critical Resource and Permissive List of Allowed Inputs in Keycloak A flaw was found in all versions of Keycloak before 10.0.0, where the NodeJS adapter did not support the verify-token-audience. This flaw results in some users having access to sensitive information outside of their permissions. |
Affected by 16 other vulnerabilities. |
|
VCID-gyrk-cxkp-uyh8
Aliases: CVE-2021-3513 GHSA-xv7h-95r7-595j |
Incorrect implementation of lockout feature in Keycloak A flaw was found in keycloak where a brute force attack is possible even when the permanent lockout feature is enabled. This is due to a wrong error message displayed when wrong credentials are entered. The highest threat from this vulnerability is to confidentiality. |
Affected by 10 other vulnerabilities. |
|
VCID-k4gc-uaw5-gyer
Aliases: CVE-2020-1728 GHSA-3gg7-9q2x-79fc |
Improper Restriction of Rendered UI Layers or Frames in Keycloak A vulnerability was found in all versions of Keycloak where, the pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses. This does not directly lead to a security issue, yet it might aid attackers in their efforts to exploit other problems. The flaws unnecessarily make the servers more prone to Clickjacking, channel downgrade attacks and other similar client-based attack vectors. |
Affected by 16 other vulnerabilities. |
|
VCID-m2sg-bxzt-d3g7
Aliases: CVE-2020-1744 GHSA-4gf2-xv97-63m2 |
Exposure of Sensitive Information in keycloak A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle this events. |
Affected by 18 other vulnerabilities. |
|
VCID-m9nn-mnr2-2qbq
Aliases: CVE-2020-27838 GHSA-pcv5-m2wh-66j3 |
Keycloak discloses information without authentication A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this vulnerability is to data confidentiality. | There are no reported fixed by versions. |
|
VCID-madv-hm8a-dfbq
Aliases: CVE-2019-10199 GHSA-p5xp-6vpf-jwvh |
Improper Input Validation and Cross-Site Request Forgery in Keycloak It was found that Keycloak's account console, up to 6.0.1, did not perform adequate header checks in some requests. An attacker could use this flaw to trick an authenticated user into performing operations via request from an untrusted domain. |
Affected by 28 other vulnerabilities. |
|
VCID-pqv8-9md7-ykg2
Aliases: CVE-2019-3875 GHSA-38cg-gg9j-q9j9 |
Improper Certificate Validation and Insufficient Verification of Data Authenticity in Keycloak A vulnerability was found in keycloak before 6.0.2. The X.509 authenticator supports the verification of client certificates through the CRL, where the CRL list can be obtained from the URL provided in the certificate itself (CDP) or through the separately configured path. The CRL are often available over the network through unsecured protocols ('http' or 'ldap') and hence the caller should verify the signature and possibly the certification path. Keycloak currently doesn't validate signatures on CRL, which can result in a possibility of various attacks like man-in-the-middle. |
Affected by 28 other vulnerabilities. |
|
VCID-q2c3-9u54-j3h2
Aliases: CVE-2022-2237 GHSA-59fq-727j-hm3f GMS-2023-578 |
keycloak-connect contains Open redirect vulnerability in the Node.js adapter There is an Open Redirect vulnerability in the Node.js adapter when forwarding requests to Keycloak using `checkSSO` with query param `prompt=none`. |
Affected by 8 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
VCID-rbk3-3kp9-dfh7
Aliases: CVE-2020-1698 GHSA-qgmm-f2qw-r95f |
Keycloak leaks sensitive information in logged exceptions A flaw was found in keycloak in versions before 9.0.0. A logged exception in the HttpMethod class may leak the password given as parameter. The highest threat from this vulnerability is to data confidentiality. |
Affected by 21 other vulnerabilities. |
|
VCID-rmk2-8vdv-ubdt
Aliases: CVE-2023-48795 GHSA-45x7-px36-x8w8 |
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust. | There are no reported fixed by versions. |
|
VCID-tab1-5msc-nfh5
Aliases: CVE-2020-1718 GHSA-j229-2h63-rvh9 |
Improper Authentication for Keycloak A flaw was found in the reset credential flow in all Keycloak versions before 8.0.0. This flaw allows an attacker to gain unauthorized access to the application. |
Affected by 21 other vulnerabilities. |
|
VCID-ubns-dvvn-3kej
Aliases: CVE-2022-4137 GHSA-9hhc-pj4w-w5rv GMS-2023-616 |
Keycloak Cross-site Scripting on OpenID connect login service A reflected cross-site scripting (XSS) vulnerability was found in the `oob` OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. | There are no reported fixed by versions. |
|
VCID-xjby-9929-kyed
Aliases: CVE-2020-14389 GHSA-c9x9-xv66-xp3v |
Improper privilege management in Keycloak A flaw was found in Keycloak, where it would permit a user with a view-profile role to manage the resources in the new account console. This flaw allows a user with a view-profile role to access and modify data for which the user does not have adequate permission. |
Affected by 15 other vulnerabilities. |
|
VCID-xkq6-s5da-yub7
Aliases: CVE-2022-1438 GHSA-w354-2f3c-qvg9 GMS-2023-529 |
Keycloak vulnerable to Cross-site Scripting A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability. ## Details This issue is the result of code found in the exception here: [https://github.com/keycloak/keycloak/blob/48835576daa158443f69917ac309e1a7c951bc87/services/src/main/java/org/keycloak/authentication/AuthenticationProcessor.java#L1045](https://github.com/keycloak/keycloak/blob/48835576daa158443f69917ac309e1a7c951bc87/services/src/main/java/org/keycloak/authentication/AuthenticationProcessor.java#L1045) ## Steps to reproduce When using the legacy admin console: 1. Sign in as Admin user in first tab. 2. In that tab create new user in keycloak admin section > intercept user creation request and modify it by including malicious js script there (in username field). 3. Sign in as newly created user in second tab (same browser window but second tab). 4. Navigate back to first tab where you are signed in as admin, navigate to admin console which lists all application users. 5. Choose any user (except newly created malicious one) – modify anything for that user in his settings. E.g. navigate to credentials tab and set new credentials for him. Also set new password as temporary. 6. After update for that user is made, use impersonate option on that modified user. 7. You should see window with form which requires providing new credentials – fill it and submit request. 8. Just after submiting request user will get notified that “You are already authenticated as different user ‘[user + payload]’ in this session. Please sign out first.” And malicious payload will be executed instantly. | There are no reported fixed by versions. |
|
VCID-ynan-6bh4-cfhq
Aliases: CVE-2023-6291 GHSA-mpwq-j3xf-7m5w |
The redirect_uri validation logic allows for bypassing explicitly allowed hosts that would otherwise be restricted An issue was found in the redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts. The problem arises in the verifyRedirectUri method, which attempts to enforce rules on user-controllable input, but essentially causes a desynchronization in how Keycloak and browsers interpret URLs. Keycloak, for example, receives "[www%2ekeycloak%2eorg%2fapp%2f:y@example.com](https://www%2ekeycloak%2eorg%2fapp%2f:y@example.com/)" and thinks the authority to be keycloak.org when it is actually example.com. This happens because the validation logic is performed on a URL decoded version, which no longer represents the original input. ### Acknowledgements Karel Knibbe |
Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||