Maven package
org.keycloak/keycloak-core
pkg:maven/org.keycloak/keycloak-core
Vulnerabilities (49)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-4028 | Low | 3.8 | <= 26.1.2 | — | Feb 18, 2025 | A vulnerability was found in Keycloak. This issue may allow a privileged attacker to use a malicious payload as the permission while creating items (Resource and Permissions) from the admin console, leading to a stored cross-site scripting (XSS) attack. | |
| CVE-2024-10039 | hig | — | < 26.0.6 | 26.0.6 | Nov 25, 2024 | A vulnerability was found in Keycloak. Deployments of Keycloak with a reverse proxy not using pass-through termination of TLS, with mTLS enabled, are affected. This issue may allow an attacker on the local network to authenticate as any user or client that leverages mTLS as the a | |
| CVE-2023-6841 | — | < 24.0.0 | 24.0.0 | Sep 10, 2024 | A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited,an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values. | ||
| CVE-2024-7318 | — | < 24.0.7 | 24.0.7 | Sep 9, 2024 | A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute | ||
| CVE-2024-7260 | — | < 24.0.7 | 24.0.7 | Sep 9, 2024 | An open redirect vulnerability was found in Keycloak. A specially crafted URL can be constructed where the referrer and referrer_uri parameters are made to trick a user to visit a malicious webpage. A trusted URL can trick users and automation into believing that the URL is safe, | ||
| CVE-2023-6927 | — | < 23.0.4 | 23.0.4 | Dec 18, 2023 | A flaw was found in Keycloak. This issue may allow an attacker to steal authorization codes or tokens from clients using a wildcard in the JARM response mode "form_post.jwt" which could be used to bypass the security patch implemented to address CVE-2023-6134. | ||
| CVE-2023-4918 | — | >= 22.0.2, < 22.0.3 | 22.0.3 | Sep 12, 2023 | A flaw was found in the Keycloak package, more specifically org.keycloak.userprofile. When a user registers itself through registration flow, the "password" and "password-confirm" field from the form will occur as regular user attributes. All users and clients with proper rights | ||
| CVE-2023-1664 | — | < 21.1.2 | 21.1.2 | May 26, 2023 | A flaw was found in Keycloak. This flaw depends on a non-default configuration "Revalidate Client Certificate" to be enabled and the reverse proxy is not validating the certificate before Keycloak. Using this method an attacker may choose the certificate which will be validated b | ||
| CVE-2023-0105 | — | < 22.0.1 | 22.0.1 | Jan 11, 2023 | A flaw was found in Keycloak. This flaw allows impersonation and lockout due to the email trust not being handled correctly in Keycloak. An attacker can shadow other users with the same email and lockout or impersonate them. | ||
| CVE-2023-0091 | — | < 20.0.3 | 20.0.3 | Jan 11, 2023 | A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information. | ||
| CVE-2022-0225 | — | <= 16.1.0 | — | Aug 26, 2022 | A flaw was found in Keycloak. This flaw allows a privileged attacker to use the malicious payload as the group name while creating a new group from the admin console, leading to a stored Cross-site scripting (XSS) attack. | ||
| CVE-2021-3632 | — | < 15.1.0 | 15.1.0 | Aug 26, 2022 | A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow. | ||
| CVE-2021-3856 | — | < 15.1.0 | 15.1.0 | Aug 26, 2022 | ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader. By sending requests for theme resources with a relative path from an external HTTP client, the client will receive the content of random files if availab | ||
| CVE-2020-35509 | — | < 14.0.0 | 14.0.0 | Aug 23, 2022 | A flaw was found in keycloak affecting versions 11.0.3 and 12.0.0. An expired certificate would be accepted by the direct-grant authenticator because of missing time stamp validations. The highest threat from this vulnerability is to data confidentiality and integrity. | ||
| CVE-2022-1466 | — | < 17.0.1 | 17.0.1 | Apr 26, 2022 | Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted. | ||
| CVE-2021-20323 | — | >= 15.0.0, < 17.0.0 | 17.0.0 | Mar 25, 2022 | A POST based reflected Cross Site Scripting vulnerability on has been identified in Keycloak. | ||
| CVE-2021-20195 | — | < 13.0.0 | 13.0.0 | May 28, 2021 | A flaw was found in keycloak in versions before 13.0.0. A Self Stored XSS attack vector escalating to a complete account takeover is possible due to user-supplied data fields not being properly encoded and Javascript code being used to process the data. The highest threat from th | ||
| CVE-2020-27826 | — | < 12.0.0 | 12.0.0 | May 28, 2021 | A flaw was found in Keycloak before version 12.0.0 where it is possible to update the user's metadata attributes using Account REST API. This flaw allows an attacker to change its own NameID attribute to impersonate the admin user for any particular application. | ||
| CVE-2021-20202 | — | < 13.0.0 | 13.0.0 | May 12, 2021 | A flaw was found in keycloak. Directories can be created prior to the Java process creating them in the temporary directory, but with wider user permissions, allowing the attacker to have access to the contents that keycloak stores in this directory. The highest threat from this | ||
| CVE-2021-20262 | — | <= 12.0.4 | — | Mar 9, 2021 | A flaw was found in Keycloak 12.0.0 where re-authentication does not occur while updating the password. This flaw allows an attacker to take over an account if they can obtain temporary, physical access to a user’s browser. The highest threat from this vulnerability is to confide |
- affected <= 26.1.2
A vulnerability was found in Keycloak. This issue may allow a privileged attacker to use a malicious payload as the permission while creating items (Resource and Permissions) from the admin console, leading to a stored cross-site scripting (XSS) attack.
- affected < 26.0.6fixed 26.0.6
A vulnerability was found in Keycloak. Deployments of Keycloak with a reverse proxy not using pass-through termination of TLS, with mTLS enabled, are affected. This issue may allow an attacker on the local network to authenticate as any user or client that leverages mTLS as the a
- CVE-2023-6841Sep 10, 2024affected < 24.0.0fixed 24.0.0
A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited,an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values.
- CVE-2024-7318Sep 9, 2024affected < 24.0.7fixed 24.0.7
A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute
- CVE-2024-7260Sep 9, 2024affected < 24.0.7fixed 24.0.7
An open redirect vulnerability was found in Keycloak. A specially crafted URL can be constructed where the referrer and referrer_uri parameters are made to trick a user to visit a malicious webpage. A trusted URL can trick users and automation into believing that the URL is safe,
- CVE-2023-6927Dec 18, 2023affected < 23.0.4fixed 23.0.4
A flaw was found in Keycloak. This issue may allow an attacker to steal authorization codes or tokens from clients using a wildcard in the JARM response mode "form_post.jwt" which could be used to bypass the security patch implemented to address CVE-2023-6134.
- CVE-2023-4918Sep 12, 2023affected >= 22.0.2, < 22.0.3fixed 22.0.3
A flaw was found in the Keycloak package, more specifically org.keycloak.userprofile. When a user registers itself through registration flow, the "password" and "password-confirm" field from the form will occur as regular user attributes. All users and clients with proper rights
- CVE-2023-1664May 26, 2023affected < 21.1.2fixed 21.1.2
A flaw was found in Keycloak. This flaw depends on a non-default configuration "Revalidate Client Certificate" to be enabled and the reverse proxy is not validating the certificate before Keycloak. Using this method an attacker may choose the certificate which will be validated b
- CVE-2023-0105Jan 11, 2023affected < 22.0.1fixed 22.0.1
A flaw was found in Keycloak. This flaw allows impersonation and lockout due to the email trust not being handled correctly in Keycloak. An attacker can shadow other users with the same email and lockout or impersonate them.
- CVE-2023-0091Jan 11, 2023affected < 20.0.3fixed 20.0.3
A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information.
- CVE-2022-0225Aug 26, 2022affected <= 16.1.0
A flaw was found in Keycloak. This flaw allows a privileged attacker to use the malicious payload as the group name while creating a new group from the admin console, leading to a stored Cross-site scripting (XSS) attack.
- CVE-2021-3632Aug 26, 2022affected < 15.1.0fixed 15.1.0
A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow.
- CVE-2021-3856Aug 26, 2022affected < 15.1.0fixed 15.1.0
ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader. By sending requests for theme resources with a relative path from an external HTTP client, the client will receive the content of random files if availab
- CVE-2020-35509Aug 23, 2022affected < 14.0.0fixed 14.0.0
A flaw was found in keycloak affecting versions 11.0.3 and 12.0.0. An expired certificate would be accepted by the direct-grant authenticator because of missing time stamp validations. The highest threat from this vulnerability is to data confidentiality and integrity.
- CVE-2022-1466Apr 26, 2022affected < 17.0.1fixed 17.0.1
Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted.
- CVE-2021-20323Mar 25, 2022affected >= 15.0.0, < 17.0.0fixed 17.0.0
A POST based reflected Cross Site Scripting vulnerability on has been identified in Keycloak.
- CVE-2021-20195May 28, 2021affected < 13.0.0fixed 13.0.0
A flaw was found in keycloak in versions before 13.0.0. A Self Stored XSS attack vector escalating to a complete account takeover is possible due to user-supplied data fields not being properly encoded and Javascript code being used to process the data. The highest threat from th
- CVE-2020-27826May 28, 2021affected < 12.0.0fixed 12.0.0
A flaw was found in Keycloak before version 12.0.0 where it is possible to update the user's metadata attributes using Account REST API. This flaw allows an attacker to change its own NameID attribute to impersonate the admin user for any particular application.
- CVE-2021-20202May 12, 2021affected < 13.0.0fixed 13.0.0
A flaw was found in keycloak. Directories can be created prior to the Java process creating them in the temporary directory, but with wider user permissions, allowing the attacker to have access to the contents that keycloak stores in this directory. The highest threat from this
- CVE-2021-20262Mar 9, 2021affected <= 12.0.4
A flaw was found in Keycloak 12.0.0 where re-authentication does not occur while updating the password. This flaw allows an attacker to take over an account if they can obtain temporary, physical access to a user’s browser. The highest threat from this vulnerability is to confide
Page 1 of 3