VYPR

Maven package

org.keycloak/keycloak-services

pkg:maven/org.keycloak/keycloak-services

Vulnerabilities (74)

  • CVE-2024-10270MedNov 25, 2024
    affected < 24.0.9fixed 24.0.9

    A vulnerability was found in the Keycloak-services package. If untrusted data is passed to the SearchQueryUtils method, it could lead to a denial of service (DoS) scenario by exhausting system resources due to a Regex complexity.

  • CVE-2023-0657LowNov 17, 2024
    affected < 22.0.10fixed 22.0.10

    A flaw was found in Keycloak. This issue occurs due to improperly enforcing token types when validating signatures locally. This could allow an authenticated attacker to exchange a logout token for an access token and possibly gain access to data outside of enforced permissions.

  • CVE-2022-2232HigNov 14, 2024
    affected < 23.0.1fixed 23.0.1

    A flaw was found in the Keycloak package. This flaw allows an attacker to utilize an LDAP injection to bypass the username lookup or potentially perform other malicious actions.

  • CVE-2024-3656HigOct 9, 2024
    affected < 24.0.5fixed 24.0.5

    A flaw was found in Keycloak. Certain endpoints in Keycloak's admin REST API allow low-privilege users to access administrative functionalities. This flaw allows users to perform actions reserved for administrators, potentially leading to data breaches or system compromise.

  • CVE-2024-8883Sep 19, 2024
    affected < 22.0.13fixed 22.0.13

    A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker

  • CVE-2024-7341Sep 9, 2024
    affected < 22.0.12fixed 22.0.12

    A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session be

  • CVE-2024-4629Sep 3, 2024
    affected < 22.0.12fixed 22.0.12

    A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system lo

  • CVE-2024-4540HigJun 3, 2024
    affected < 24.0.5fixed 24.0.5

    A flaw was found in Keycloak in OAuth 2.0 Pushed Authorization Requests (PAR). Client-provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization server's HTTP response to a `request_uri` authorization request, possibly leadi

  • CVE-2023-6717MedApr 25, 2024
    affected < 22.0.10fixed 22.0.10

    A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cross-Site Scripting (XSS) risk. This issue may allow a malicious admin in one real

  • CVE-2023-6544MedApr 25, 2024
    affected < 22.0.10fixed 22.0.10

    A flaw was found in the Keycloak package. This issue occurs due to a permissive regular expression hardcoded for filtering which allows hosts to register a dynamic client. A malicious user with enough information about the environment could jeopardize an environment with this spe

  • CVE-2023-6484MedApr 25, 2024
    affected < 22.0.9fixed 22.0.9

    A log injection flaw was found in Keycloak. A text string may be injected through the authentication form when using the WebAuthn authentication mode. This issue may have a minor impact to the logs integrity.

  • CVE-2023-6787Apr 25, 2024
    affected < 22.0.10fixed 22.0.10

    A flaw was found in Keycloak that occurs from an error in the re-authentication mechanism within org.keycloak.authentication. This flaw allows hijacking an active Keycloak session by triggering a new authentication process with the query parameter "prompt=login," prompting the us

  • CVE-2023-3597MedApr 25, 2024
    affected < 22.0.10fixed 22.0.10

    A flaw was found in Keycloak, where it does not correctly validate its client step-up authentication in org.keycloak.authentication. This flaw allows a remote user authenticated with a password to register a false second authentication factor along with an existing one and bypass

  • CVE-2024-2419HigApr 17, 2024
    affected < 22.0.10fixed 22.0.10

    A flaw was found in Keycloak's redirect_uri validation logic. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to the theft of an access token, making it possible for the attacker to impersonate other users. It is very similar to C

  • CVE-2024-1249HigApr 17, 2024
    affected < 22.0.10fixed 22.0.10

    A flaw was found in Keycloak's OIDC component in the "checkLoginIframe," which allows unvalidated cross-origin messages. This flaw allows attackers to coordinate and send millions of requests in seconds using simple code, significantly impacting the application's availability wit

  • CVE-2024-1132Apr 17, 2024
    affected < 22.0.10fixed 22.0.10

    A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. Th

  • CVE-2024-1722Feb 27, 2024
    affected < 24.0.0fixed 24.0.0

    A flaw was found in Keycloak. In certain conditions, this issue may allow a remote unauthenticated attacker to block other accounts from logging in.

  • CVE-2023-6291HigJan 26, 2024
    affected < 23.0.3fixed 23.0.3

    A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users.

  • CVE-2023-2585LowDec 21, 2023
    affected < 21.1.2fixed 21.1.2

    Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an authorization admin into granting consent to a malicious OAuth client or possible

  • CVE-2023-6134MedDec 14, 2023
    affected < 23.0.3fixed 23.0.3

    A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the re