apk package
chainguard/keycloak-fips-26.4-operator
pkg:apk/chainguard/keycloak-fips-26.4-operator
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-67735 | — | < 26.4.7-r13 | 26.4.7-r13 | Dec 16, 2025 | Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling wh | ||
| CVE-2025-14082 | Low | 2.7 | < 26.4.7-r12 | 26.4.7-r12 | Dec 10, 2025 | A flaw was found in Keycloak Admin REST (Representational State Transfer) API. This vulnerability allows information disclosure of sensitive role metadata via insufficient authorization checks on the /admin/realms/{realm}/roles endpoint. | |
| CVE-2025-66021 | — | < 26.4.6-r0 | 26.4.6-r0 | Nov 26, 2025 | OWASP Java HTML Sanitizer is a configureable HTML Sanitizer written in Java, allowing inclusion of HTML authored by third-parties in web applications while protecting against XSS. In version 20240325.1, OWASP java html sanitizer is vulnerable to XSS if HtmlPolicyBuilder allows n | ||
| CVE-2025-12390 | Med | 6.0 | < 26.4.4-r0 | 26.4.4-r0 | Oct 28, 2025 | A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesn’t clean up properly during logout when browser cookie | |
| CVE-2025-10939 | Low | 3.7 | < 26.4.4-r0 | 26.4.4-r0 | Oct 28, 2025 | A flaw was found in Keycloak. The Keycloak guides recommend to not expose /admin path to the outside in case the installation is using a proxy. The issue occurs at least via ha-proxy, as it can be tricked to using relative/non-normalized paths to access the /admin application pat | |
| CVE-2025-59250 | — | < 0 | 0 | Oct 14, 2025 | Improper input validation in JDBC Driver for SQL Server allows an unauthorized attacker to perform spoofing over a network. |
- CVE-2025-67735Dec 16, 2025affected < 26.4.7-r13fixed 26.4.7-r13
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling wh
- affected < 26.4.7-r12fixed 26.4.7-r12
A flaw was found in Keycloak Admin REST (Representational State Transfer) API. This vulnerability allows information disclosure of sensitive role metadata via insufficient authorization checks on the /admin/realms/{realm}/roles endpoint.
- CVE-2025-66021Nov 26, 2025affected < 26.4.6-r0fixed 26.4.6-r0
OWASP Java HTML Sanitizer is a configureable HTML Sanitizer written in Java, allowing inclusion of HTML authored by third-parties in web applications while protecting against XSS. In version 20240325.1, OWASP java html sanitizer is vulnerable to XSS if HtmlPolicyBuilder allows n
- affected < 26.4.4-r0fixed 26.4.4-r0
A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesn’t clean up properly during logout when browser cookie
- affected < 26.4.4-r0fixed 26.4.4-r0
A flaw was found in Keycloak. The Keycloak guides recommend to not expose /admin path to the outside in case the installation is using a proxy. The issue occurs at least via ha-proxy, as it can be tricked to using relative/non-normalized paths to access the /admin application pat
- CVE-2025-59250Oct 14, 2025affected < 0fixed 0
Improper input validation in JDBC Driver for SQL Server allows an unauthorized attacker to perform spoofing over a network.