Maven package
org.keycloak/keycloak-parent
pkg:maven/org.keycloak/keycloak-parent
Vulnerabilities (25)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2018-14657 | — | < 4.6.0.Final | 4.6.0.Final | Nov 13, 2018 | A flaw was found in Keycloak 4.2.1.Final, 4.3.0.Final. When TOPT enabled, an improper implementation of the Brute Force detection algorithm will not enforce its protection measures. | ||
| CVE-2018-14655 | — | <= 3.4.3.Final | — | Nov 13, 2018 | A flaw was found in Keycloak 3.4.3.Final, 4.0.0.Beta2, 4.3.0.Final. When using 'response_mode=form_post' it is possible to inject arbitrary Javascript-Code via the 'state'-parameter in the authentication URL. This allows an XSS-Attack upon succesfully login. | ||
| CVE-2017-12160 | Hig | 7.2 | < 3.3.0.Final | 3.3.0.Final | Oct 26, 2017 | It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to g | |
| CVE-2017-12159 | Hig | 7.5 | < 3.4.0 | 3.4.0 | Oct 26, 2017 | It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks. | |
| CVE-2017-12158 | Med | 5.4 | < 3.4.0 | 3.4.0 | Oct 26, 2017 | It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server. |
- CVE-2018-14657Nov 13, 2018affected < 4.6.0.Finalfixed 4.6.0.Final
A flaw was found in Keycloak 4.2.1.Final, 4.3.0.Final. When TOPT enabled, an improper implementation of the Brute Force detection algorithm will not enforce its protection measures.
- CVE-2018-14655Nov 13, 2018affected <= 3.4.3.Final
A flaw was found in Keycloak 3.4.3.Final, 4.0.0.Beta2, 4.3.0.Final. When using 'response_mode=form_post' it is possible to inject arbitrary Javascript-Code via the 'state'-parameter in the authentication URL. This allows an XSS-Attack upon succesfully login.
- affected < 3.3.0.Finalfixed 3.3.0.Final
It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to g
- affected < 3.4.0fixed 3.4.0
It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks.
- affected < 3.4.0fixed 3.4.0
It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server.
Page 2 of 2