apk package
chainguard/keycloak-fips
pkg:apk/chainguard/keycloak-fips
Vulnerabilities (39)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-7962 | — | < 26.3.2-r1 | 26.3.2-r1 | Jul 21, 2025 | In Jakarta Mail 2.0.2 it is possible to preform a SMTP Injection by utilizing the \r and \n UTF-8 characters to separate different messages. | ||
| CVE-2025-49146 | — | < 26.2.5-r3 | 26.2.5-r3 | Jun 11, 2025 | pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, when the PostgreSQL JDBC driver is configured with channel binding set to required (default value is prefer), the driver would incorrectly allow connections to proceed with authentication methods that | ||
| CVE-2025-3501 | Hig | 8.2 | < 26.2.2-r0 | 26.2.2-r0 | Apr 29, 2025 | A flaw was found in Keycloak. By setting a verification policy to 'ALL', the trust store certificate verification is skipped, which is unintended. | |
| CVE-2025-3910 | — | < 26.2.2-r0 | 26.2.2-r0 | Apr 29, 2025 | A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumventing required actions, allowing users to circumvent requirements such as setting up two-factor authentication. | ||
| CVE-2024-4028 | Low | 3.8 | < 26.1.3-r0 | 26.1.3-r0 | Feb 18, 2025 | A vulnerability was found in Keycloak. This issue may allow a privileged attacker to use a malicious payload as the permission while creating items (Resource and Permissions) from the admin console, leading to a stored cross-site scripting (XSS) attack. | |
| CVE-2025-1247 | Hig | 8.3 | < 26.1.3-r0 | 26.1.3-r0 | Feb 13, 2025 | A flaw was found in Quarkus REST that allows request parameters to leak between concurrent requests if endpoints use field injection without a CDI scope. This vulnerability allows attackers to manipulate request data, impersonate users, or access sensitive information. | |
| CVE-2025-25193 | — | < 0 | 0 | Feb 10, 2025 | Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts | ||
| CVE-2025-24970 | — | < 26.1.2-r1 | 26.1.2-r1 | Feb 10, 2025 | Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cas | ||
| CVE-2025-0604 | Med | 5.4 | < 26.1.1-r0 | 26.1.1-r0 | Jan 22, 2025 | A flaw was found in Keycloak. When an Active Directory user resets their password, the system updates it without performing an LDAP bind to validate the new credentials against AD. This vulnerability allows users whose AD accounts are expired or disabled to regain access in Keycl | |
| CVE-2024-12397 | Hig | 7.4 | < 26.0.7-r1 | 26.0.7-r1 | Dec 12, 2024 | A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leadi | |
| CVE-2024-10039 | hig | — | < 26.0.6-r0 | 26.0.6-r0 | Nov 25, 2024 | A vulnerability was found in Keycloak. Deployments of Keycloak with a reverse proxy not using pass-through termination of TLS, with mTLS enabled, are affected. This issue may allow an attacker on the local network to authenticate as any user or client that leverages mTLS as the a | |
| CVE-2024-9666 | Med | 4.7 | < 26.0.6-r0 | 26.0.6-r0 | Nov 25, 2024 | A vulnerability was found in the Keycloak Server. The Keycloak Server is vulnerable to a denial of service (DoS) attack due to improper handling of proxy headers. When Keycloak is configured to accept incoming proxy headers, it may accept non-IP values, such as obfuscated identif | |
| CVE-2024-10492 | Low | 2.7 | < 26.0.6-r0 | 26.0.6-r0 | Nov 25, 2024 | A vulnerability was found in Keycloak. A user with high privileges could read sensitive information from a Vault file that is not within the expected context. This attacker must have previous high access to the Keycloak server in order to perform resource creation, for example, a | |
| CVE-2024-10451 | Med | 5.9 | < 26.0.6-r0 | 26.0.6-r0 | Nov 25, 2024 | A flaw was found in Keycloak. This issue occurs because sensitive runtime values, such as passwords, may be captured during the Keycloak build process and embedded as default values in bytecode, leading to unintended information disclosure. In Keycloak 26, sensitive data specifie | |
| CVE-2024-10270 | Med | 6.5 | < 26.0.6-r0 | 26.0.6-r0 | Nov 25, 2024 | A vulnerability was found in the Keycloak-services package. If untrusted data is passed to the SearchQueryUtils method, it could lead to a denial of service (DoS) scenario by exhausting system resources due to a Regex complexity. | |
| CVE-2023-0657 | Low | 3.4 | < 24.0.3-r0 | 24.0.3-r0 | Nov 17, 2024 | A flaw was found in Keycloak. This issue occurs due to improperly enforcing token types when validating signatures locally. This could allow an authenticated attacker to exchange a logout token for an access token and possibly gain access to data outside of enforced permissions. | |
| CVE-2024-47535 | — | < 0 | 0 | Nov 12, 2024 | Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application | ||
| CVE-2024-3656 | Hig | 8.1 | < 25.0.0-r0 | 25.0.0-r0 | Oct 9, 2024 | A flaw was found in Keycloak. Certain endpoints in Keycloak's admin REST API allow low-privilege users to access administrative functionalities. This flaw allows users to perform actions reserved for administrators, potentially leading to data breaches or system compromise. | |
| CVE-2023-6841 | — | < 26.1.4-r0 | 26.1.4-r0 | Sep 10, 2024 | A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited,an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values. | ||
| CVE-2024-7341 | — | < 25.0.4-r0 | 25.0.4-r0 | Sep 9, 2024 | A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session be |
- CVE-2025-7962Jul 21, 2025affected < 26.3.2-r1fixed 26.3.2-r1
In Jakarta Mail 2.0.2 it is possible to preform a SMTP Injection by utilizing the \r and \n UTF-8 characters to separate different messages.
- CVE-2025-49146Jun 11, 2025affected < 26.2.5-r3fixed 26.2.5-r3
pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, when the PostgreSQL JDBC driver is configured with channel binding set to required (default value is prefer), the driver would incorrectly allow connections to proceed with authentication methods that
- affected < 26.2.2-r0fixed 26.2.2-r0
A flaw was found in Keycloak. By setting a verification policy to 'ALL', the trust store certificate verification is skipped, which is unintended.
- CVE-2025-3910Apr 29, 2025affected < 26.2.2-r0fixed 26.2.2-r0
A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumventing required actions, allowing users to circumvent requirements such as setting up two-factor authentication.
- affected < 26.1.3-r0fixed 26.1.3-r0
A vulnerability was found in Keycloak. This issue may allow a privileged attacker to use a malicious payload as the permission while creating items (Resource and Permissions) from the admin console, leading to a stored cross-site scripting (XSS) attack.
- affected < 26.1.3-r0fixed 26.1.3-r0
A flaw was found in Quarkus REST that allows request parameters to leak between concurrent requests if endpoints use field injection without a CDI scope. This vulnerability allows attackers to manipulate request data, impersonate users, or access sensitive information.
- CVE-2025-25193Feb 10, 2025affected < 0fixed 0
Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts
- CVE-2025-24970Feb 10, 2025affected < 26.1.2-r1fixed 26.1.2-r1
Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cas
- affected < 26.1.1-r0fixed 26.1.1-r0
A flaw was found in Keycloak. When an Active Directory user resets their password, the system updates it without performing an LDAP bind to validate the new credentials against AD. This vulnerability allows users whose AD accounts are expired or disabled to regain access in Keycl
- affected < 26.0.7-r1fixed 26.0.7-r1
A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leadi
- affected < 26.0.6-r0fixed 26.0.6-r0
A vulnerability was found in Keycloak. Deployments of Keycloak with a reverse proxy not using pass-through termination of TLS, with mTLS enabled, are affected. This issue may allow an attacker on the local network to authenticate as any user or client that leverages mTLS as the a
- affected < 26.0.6-r0fixed 26.0.6-r0
A vulnerability was found in the Keycloak Server. The Keycloak Server is vulnerable to a denial of service (DoS) attack due to improper handling of proxy headers. When Keycloak is configured to accept incoming proxy headers, it may accept non-IP values, such as obfuscated identif
- affected < 26.0.6-r0fixed 26.0.6-r0
A vulnerability was found in Keycloak. A user with high privileges could read sensitive information from a Vault file that is not within the expected context. This attacker must have previous high access to the Keycloak server in order to perform resource creation, for example, a
- affected < 26.0.6-r0fixed 26.0.6-r0
A flaw was found in Keycloak. This issue occurs because sensitive runtime values, such as passwords, may be captured during the Keycloak build process and embedded as default values in bytecode, leading to unintended information disclosure. In Keycloak 26, sensitive data specifie
- affected < 26.0.6-r0fixed 26.0.6-r0
A vulnerability was found in the Keycloak-services package. If untrusted data is passed to the SearchQueryUtils method, it could lead to a denial of service (DoS) scenario by exhausting system resources due to a Regex complexity.
- affected < 24.0.3-r0fixed 24.0.3-r0
A flaw was found in Keycloak. This issue occurs due to improperly enforcing token types when validating signatures locally. This could allow an authenticated attacker to exchange a logout token for an access token and possibly gain access to data outside of enforced permissions.
- CVE-2024-47535Nov 12, 2024affected < 0fixed 0
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application
- affected < 25.0.0-r0fixed 25.0.0-r0
A flaw was found in Keycloak. Certain endpoints in Keycloak's admin REST API allow low-privilege users to access administrative functionalities. This flaw allows users to perform actions reserved for administrators, potentially leading to data breaches or system compromise.
- CVE-2023-6841Sep 10, 2024affected < 26.1.4-r0fixed 26.1.4-r0
A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited,an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values.
- CVE-2024-7341Sep 9, 2024affected < 25.0.4-r0fixed 25.0.4-r0
A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session be
Page 1 of 2