VYPR

Maven package

org.keycloak/keycloak-core

pkg:maven/org.keycloak/keycloak-core

Vulnerabilities (49)

  • CVE-2018-14658MedNov 13, 2018
    affected <= 3.2.1.Final

    A flaw was found in JBOSS Keycloak 3.2.1.Final. The Redirect URL for both Login and Logout are not normalized in org.keycloak.protocol.oidc.utils.RedirectUtils before the redirect url is verified. This can lead to an Open Redirection attack

  • CVE-2016-8609LowAug 1, 2018
    affected < 2.3.0fixed 2.3.0

    It was found that the keycloak before 2.3.0 did not implement authentication flow correctly. An attacker could use this flaw to construct a phishing URL, from which he could hijack the user's session. This could lead to information disclosure, or permit further possible attacks.

  • CVE-2017-2646HigJul 27, 2018
    affected < 2.5.5fixed 2.5.5

    It was found that when Keycloak before 2.5.5 receives a Logout request with a Extensions in the middle of the request, the SAMLSloRequestParser.parse() method ends in a infinite loop. An attacker could use this flaw to conduct denial of service attacks.

  • CVE-2017-2582MedJul 26, 2018
    affected < 2.5.1fixed 2.5.1

    It was found that while parsing the SAML messages the StaxParserUtil class of keycloak before 2.5.1 replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by format

  • CVE-2018-10912MedJul 23, 2018
    affected < 4.0.0fixed 4.0.0

    keycloak before version 4.0.0.final is vulnerable to a infinite loop in session replacement. A Keycloak cluster with multiple nodes could mishandle an expired session replacement and lead to an infinite loop. A malicious authenticated user could use this flaw to achieve Denial of

  • CVE-2017-2585MedMar 12, 2018
    affected < 2.5.1fixed 2.5.1

    Red Hat Keycloak before version 2.5.1 has an implementation of HMAC verification for JWS tokens that uses a method that runs in non-constant time, potentially leaving the application vulnerable to timing attacks.

  • CVE-2016-8629MedMar 12, 2018
    affected < 2.4.0fixed 2.4.0

    Red Hat Keycloak before version 2.4.0 did not correctly check permissions when handling service account user deletion requests sent to the rest server. An attacker with service account authentication could use this flaw to bypass normal permissions and delete users in a separate

  • CVE-2017-12161HigFeb 21, 2018
    affected < 3.4.2fixed 3.4.2

    It was found that keycloak before 3.4.2 final would permit misuse of a client-side /etc/hosts entry to spoof a URL in a password reset request. An attacker could use this flaw to craft a malicious password reset request and gain a valid reset token, leading to information disclos

  • CVE-2014-3651HigDec 29, 2017
    affected < 1.0.3fixed 1.0.3

    JBoss KeyCloak before 1.0.3.Final allows remote attackers to cause a denial of service (resource consumption) via a large value in the size parameter to auth/qrcode, related to QR code generation.

Page 3 of 3