apk package
wolfi/keycloak-bitnami-compat
pkg:apk/wolfi/keycloak-bitnami-compat
Vulnerabilities (58)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-5967 | Low | 2.7 | < 25.0.1-r0 | 25.0.1-r0 | Jun 18, 2024 | A vulnerability was found in Keycloak. The LDAP testing endpoint allows changing the Connection URL independently without re-entering the currently configured LDAP bind credentials. This flaw allows an attacker with admin access (permission manage-realm) to change the LDAP host | |
| CVE-2024-30172 | Hig | 7.5 | < 25.0.0-r0 | 25.0.0-r0 | May 14, 2024 | An issue was discovered in Bouncy Castle Java Cryptography APIs before 1.78. An Ed25519 verification code infinite loop can occur via a crafted signature and public key. | |
| CVE-2024-30171 | Med | 5.9 | < 25.0.0-r0 | 25.0.0-r0 | May 14, 2024 | An issue was discovered in Bouncy Castle Java TLS API and JSSE Provider before 1.78. Timing-based leakage may occur in RSA based handshakes because of exception processing. | |
| CVE-2024-29857 | Hig | 7.5 | < 25.0.0-r0 | 25.0.0-r0 | May 14, 2024 | An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during | |
| CVE-2024-34447 | Hig | 7.5 | < 25.0.0-r0 | 25.0.0-r0 | May 3, 2024 | An issue was discovered in the Bouncy Castle Crypto Package For Java before BC TLS Java 1.0.19 (ships with BC Java 1.78, BC Java (LTS) 2.73.6) and before BC FIPS TLS Java 1.0.19. When endpoint identification is enabled in the BCJSSE and an SSL socket is created without an explici | |
| CVE-2023-6717 | Med | 6.0 | < 24.0.3-r0 | 24.0.3-r0 | Apr 25, 2024 | A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cross-Site Scripting (XSS) risk. This issue may allow a malicious admin in one real | |
| CVE-2023-6544 | Med | 5.4 | < 24.0.3-r0 | 24.0.3-r0 | Apr 25, 2024 | A flaw was found in the Keycloak package. This issue occurs due to a permissive regular expression hardcoded for filtering which allows hosts to register a dynamic client. A malicious user with enough information about the environment could jeopardize an environment with this spe | |
| CVE-2023-6787 | — | < 24.0.3-r0 | 24.0.3-r0 | Apr 25, 2024 | A flaw was found in Keycloak that occurs from an error in the re-authentication mechanism within org.keycloak.authentication. This flaw allows hijacking an active Keycloak session by triggering a new authentication process with the query parameter "prompt=login," prompting the us | ||
| CVE-2023-3597 | Med | 5.0 | < 24.0.3-r0 | 24.0.3-r0 | Apr 25, 2024 | A flaw was found in Keycloak, where it does not correctly validate its client step-up authentication in org.keycloak.authentication. This flaw allows a remote user authenticated with a password to register a false second authentication factor along with an existing one and bypass | |
| CVE-2024-2419 | Hig | 7.1 | < 24.0.3-r0 | 24.0.3-r0 | Apr 17, 2024 | A flaw was found in Keycloak's redirect_uri validation logic. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to the theft of an access token, making it possible for the attacker to impersonate other users. It is very similar to C | |
| CVE-2024-1249 | Hig | 7.4 | < 24.0.3-r0 | 24.0.3-r0 | Apr 17, 2024 | A flaw was found in Keycloak's OIDC component in the "checkLoginIframe," which allows unvalidated cross-origin messages. This flaw allows attackers to coordinate and send millions of requests in seconds using simple code, significantly impacting the application's availability wit | |
| CVE-2024-1132 | — | < 24.0.3-r0 | 24.0.3-r0 | Apr 17, 2024 | A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. Th | ||
| CVE-2024-29025 | — | < 24.0.2-r1 | 24.0.2-r1 | Mar 25, 2024 | Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `HttpPostRequestDecoder` can be tricked to accumulate data. While the decoder can store items on the disk if configured so, t | ||
| CVE-2024-21742 | — | < 24.0.0-r0 | 24.0.0-r0 | Feb 27, 2024 | Improper input validation allows for header injection in MIME4J library when using MIME4J DOM for composing message. This can be exploited by an attacker to add unintended headers to MIME messages. | ||
| CVE-2024-1597 | — | < 23.0.7-r0 | 23.0.7-r0 | Feb 19, 2024 | pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeh | ||
| CVE-2023-6927 | — | < 23.0.4-r0 | 23.0.4-r0 | Dec 18, 2023 | A flaw was found in Keycloak. This issue may allow an attacker to steal authorization codes or tokens from clients using a wildcard in the JARM response mode "form_post.jwt" which could be used to bypass the security patch implemented to address CVE-2023-6134. | ||
| CVE-2023-44483 | — | < 22.0.5-r1 | 22.0.5-r1 | Oct 20, 2023 | All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are | ||
| CVE-2023-4586 | — | < 26.1.4-r0 | 26.1.4-r0 | Oct 4, 2023 | A vulnerability was found in the Hot Rod client. This security issue occurs as the Hot Rod client does not enable hostname validation when using TLS, possibly resulting in a man-in-the-middle (MITM) attack. | ||
| CVE-2023-0264 | — | < 0 | 0 | Aug 4, 2023 | A flaw was found in Keycloaks OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session t | ||
| CVE-2023-2976 | — | < 0 | 0 | Jun 14, 2023 | Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to |
- affected < 25.0.1-r0fixed 25.0.1-r0
A vulnerability was found in Keycloak. The LDAP testing endpoint allows changing the Connection URL independently without re-entering the currently configured LDAP bind credentials. This flaw allows an attacker with admin access (permission manage-realm) to change the LDAP host
- affected < 25.0.0-r0fixed 25.0.0-r0
An issue was discovered in Bouncy Castle Java Cryptography APIs before 1.78. An Ed25519 verification code infinite loop can occur via a crafted signature and public key.
- affected < 25.0.0-r0fixed 25.0.0-r0
An issue was discovered in Bouncy Castle Java TLS API and JSSE Provider before 1.78. Timing-based leakage may occur in RSA based handshakes because of exception processing.
- affected < 25.0.0-r0fixed 25.0.0-r0
An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during
- affected < 25.0.0-r0fixed 25.0.0-r0
An issue was discovered in the Bouncy Castle Crypto Package For Java before BC TLS Java 1.0.19 (ships with BC Java 1.78, BC Java (LTS) 2.73.6) and before BC FIPS TLS Java 1.0.19. When endpoint identification is enabled in the BCJSSE and an SSL socket is created without an explici
- affected < 24.0.3-r0fixed 24.0.3-r0
A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cross-Site Scripting (XSS) risk. This issue may allow a malicious admin in one real
- affected < 24.0.3-r0fixed 24.0.3-r0
A flaw was found in the Keycloak package. This issue occurs due to a permissive regular expression hardcoded for filtering which allows hosts to register a dynamic client. A malicious user with enough information about the environment could jeopardize an environment with this spe
- CVE-2023-6787Apr 25, 2024affected < 24.0.3-r0fixed 24.0.3-r0
A flaw was found in Keycloak that occurs from an error in the re-authentication mechanism within org.keycloak.authentication. This flaw allows hijacking an active Keycloak session by triggering a new authentication process with the query parameter "prompt=login," prompting the us
- affected < 24.0.3-r0fixed 24.0.3-r0
A flaw was found in Keycloak, where it does not correctly validate its client step-up authentication in org.keycloak.authentication. This flaw allows a remote user authenticated with a password to register a false second authentication factor along with an existing one and bypass
- affected < 24.0.3-r0fixed 24.0.3-r0
A flaw was found in Keycloak's redirect_uri validation logic. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to the theft of an access token, making it possible for the attacker to impersonate other users. It is very similar to C
- affected < 24.0.3-r0fixed 24.0.3-r0
A flaw was found in Keycloak's OIDC component in the "checkLoginIframe," which allows unvalidated cross-origin messages. This flaw allows attackers to coordinate and send millions of requests in seconds using simple code, significantly impacting the application's availability wit
- CVE-2024-1132Apr 17, 2024affected < 24.0.3-r0fixed 24.0.3-r0
A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. Th
- CVE-2024-29025Mar 25, 2024affected < 24.0.2-r1fixed 24.0.2-r1
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `HttpPostRequestDecoder` can be tricked to accumulate data. While the decoder can store items on the disk if configured so, t
- CVE-2024-21742Feb 27, 2024affected < 24.0.0-r0fixed 24.0.0-r0
Improper input validation allows for header injection in MIME4J library when using MIME4J DOM for composing message. This can be exploited by an attacker to add unintended headers to MIME messages.
- CVE-2024-1597Feb 19, 2024affected < 23.0.7-r0fixed 23.0.7-r0
pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeh
- CVE-2023-6927Dec 18, 2023affected < 23.0.4-r0fixed 23.0.4-r0
A flaw was found in Keycloak. This issue may allow an attacker to steal authorization codes or tokens from clients using a wildcard in the JARM response mode "form_post.jwt" which could be used to bypass the security patch implemented to address CVE-2023-6134.
- CVE-2023-44483Oct 20, 2023affected < 22.0.5-r1fixed 22.0.5-r1
All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are
- CVE-2023-4586Oct 4, 2023affected < 26.1.4-r0fixed 26.1.4-r0
A vulnerability was found in the Hot Rod client. This security issue occurs as the Hot Rod client does not enable hostname validation when using TLS, possibly resulting in a man-in-the-middle (MITM) attack.
- CVE-2023-0264Aug 4, 2023affected < 0fixed 0
A flaw was found in Keycloaks OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session t
- CVE-2023-2976Jun 14, 2023affected < 0fixed 0
Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to
Page 2 of 3