Maven package
org.keycloak/keycloak-services
pkg:maven/org.keycloak/keycloak-services
Vulnerabilities (74)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-10270 | Med | 6.5 | < 24.0.9 | 24.0.9 | Nov 25, 2024 | A vulnerability was found in the Keycloak-services package. If untrusted data is passed to the SearchQueryUtils method, it could lead to a denial of service (DoS) scenario by exhausting system resources due to a Regex complexity. | |
| CVE-2023-0657 | Low | 3.4 | < 22.0.10 | 22.0.10 | Nov 17, 2024 | A flaw was found in Keycloak. This issue occurs due to improperly enforcing token types when validating signatures locally. This could allow an authenticated attacker to exchange a logout token for an access token and possibly gain access to data outside of enforced permissions. | |
| CVE-2022-2232 | Hig | 7.5 | < 23.0.1 | 23.0.1 | Nov 14, 2024 | A flaw was found in the Keycloak package. This flaw allows an attacker to utilize an LDAP injection to bypass the username lookup or potentially perform other malicious actions. | |
| CVE-2024-3656 | Hig | 8.1 | < 24.0.5 | 24.0.5 | Oct 9, 2024 | A flaw was found in Keycloak. Certain endpoints in Keycloak's admin REST API allow low-privilege users to access administrative functionalities. This flaw allows users to perform actions reserved for administrators, potentially leading to data breaches or system compromise. | |
| CVE-2024-8883 | — | < 22.0.13 | 22.0.13 | Sep 19, 2024 | A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker | ||
| CVE-2024-7341 | — | < 22.0.12 | 22.0.12 | Sep 9, 2024 | A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session be | ||
| CVE-2024-4629 | — | < 22.0.12 | 22.0.12 | Sep 3, 2024 | A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system lo | ||
| CVE-2024-4540 | Hig | 7.5 | < 24.0.5 | 24.0.5 | Jun 3, 2024 | A flaw was found in Keycloak in OAuth 2.0 Pushed Authorization Requests (PAR). Client-provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization server's HTTP response to a `request_uri` authorization request, possibly leadi | |
| CVE-2023-6717 | Med | 6.0 | < 22.0.10 | 22.0.10 | Apr 25, 2024 | A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cross-Site Scripting (XSS) risk. This issue may allow a malicious admin in one real | |
| CVE-2023-6544 | Med | 5.4 | < 22.0.10 | 22.0.10 | Apr 25, 2024 | A flaw was found in the Keycloak package. This issue occurs due to a permissive regular expression hardcoded for filtering which allows hosts to register a dynamic client. A malicious user with enough information about the environment could jeopardize an environment with this spe | |
| CVE-2023-6484 | Med | 5.3 | < 22.0.9 | 22.0.9 | Apr 25, 2024 | A log injection flaw was found in Keycloak. A text string may be injected through the authentication form when using the WebAuthn authentication mode. This issue may have a minor impact to the logs integrity. | |
| CVE-2023-6787 | — | < 22.0.10 | 22.0.10 | Apr 25, 2024 | A flaw was found in Keycloak that occurs from an error in the re-authentication mechanism within org.keycloak.authentication. This flaw allows hijacking an active Keycloak session by triggering a new authentication process with the query parameter "prompt=login," prompting the us | ||
| CVE-2023-3597 | Med | 5.0 | < 22.0.10 | 22.0.10 | Apr 25, 2024 | A flaw was found in Keycloak, where it does not correctly validate its client step-up authentication in org.keycloak.authentication. This flaw allows a remote user authenticated with a password to register a false second authentication factor along with an existing one and bypass | |
| CVE-2024-2419 | Hig | 7.1 | < 22.0.10 | 22.0.10 | Apr 17, 2024 | A flaw was found in Keycloak's redirect_uri validation logic. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to the theft of an access token, making it possible for the attacker to impersonate other users. It is very similar to C | |
| CVE-2024-1249 | Hig | 7.4 | < 22.0.10 | 22.0.10 | Apr 17, 2024 | A flaw was found in Keycloak's OIDC component in the "checkLoginIframe," which allows unvalidated cross-origin messages. This flaw allows attackers to coordinate and send millions of requests in seconds using simple code, significantly impacting the application's availability wit | |
| CVE-2024-1132 | — | < 22.0.10 | 22.0.10 | Apr 17, 2024 | A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. Th | ||
| CVE-2024-1722 | — | < 24.0.0 | 24.0.0 | Feb 27, 2024 | A flaw was found in Keycloak. In certain conditions, this issue may allow a remote unauthenticated attacker to block other accounts from logging in. | ||
| CVE-2023-6291 | Hig | 7.1 | < 23.0.3 | 23.0.3 | Jan 26, 2024 | A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users. | |
| CVE-2023-2585 | Low | 3.5 | < 21.1.2 | 21.1.2 | Dec 21, 2023 | Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an authorization admin into granting consent to a malicious OAuth client or possible | |
| CVE-2023-6134 | Med | 4.6 | < 23.0.3 | 23.0.3 | Dec 14, 2023 | A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the re |
- affected < 24.0.9fixed 24.0.9
A vulnerability was found in the Keycloak-services package. If untrusted data is passed to the SearchQueryUtils method, it could lead to a denial of service (DoS) scenario by exhausting system resources due to a Regex complexity.
- affected < 22.0.10fixed 22.0.10
A flaw was found in Keycloak. This issue occurs due to improperly enforcing token types when validating signatures locally. This could allow an authenticated attacker to exchange a logout token for an access token and possibly gain access to data outside of enforced permissions.
- affected < 23.0.1fixed 23.0.1
A flaw was found in the Keycloak package. This flaw allows an attacker to utilize an LDAP injection to bypass the username lookup or potentially perform other malicious actions.
- affected < 24.0.5fixed 24.0.5
A flaw was found in Keycloak. Certain endpoints in Keycloak's admin REST API allow low-privilege users to access administrative functionalities. This flaw allows users to perform actions reserved for administrators, potentially leading to data breaches or system compromise.
- CVE-2024-8883Sep 19, 2024affected < 22.0.13fixed 22.0.13
A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker
- CVE-2024-7341Sep 9, 2024affected < 22.0.12fixed 22.0.12
A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session be
- CVE-2024-4629Sep 3, 2024affected < 22.0.12fixed 22.0.12
A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system lo
- affected < 24.0.5fixed 24.0.5
A flaw was found in Keycloak in OAuth 2.0 Pushed Authorization Requests (PAR). Client-provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization server's HTTP response to a `request_uri` authorization request, possibly leadi
- affected < 22.0.10fixed 22.0.10
A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cross-Site Scripting (XSS) risk. This issue may allow a malicious admin in one real
- affected < 22.0.10fixed 22.0.10
A flaw was found in the Keycloak package. This issue occurs due to a permissive regular expression hardcoded for filtering which allows hosts to register a dynamic client. A malicious user with enough information about the environment could jeopardize an environment with this spe
- affected < 22.0.9fixed 22.0.9
A log injection flaw was found in Keycloak. A text string may be injected through the authentication form when using the WebAuthn authentication mode. This issue may have a minor impact to the logs integrity.
- CVE-2023-6787Apr 25, 2024affected < 22.0.10fixed 22.0.10
A flaw was found in Keycloak that occurs from an error in the re-authentication mechanism within org.keycloak.authentication. This flaw allows hijacking an active Keycloak session by triggering a new authentication process with the query parameter "prompt=login," prompting the us
- affected < 22.0.10fixed 22.0.10
A flaw was found in Keycloak, where it does not correctly validate its client step-up authentication in org.keycloak.authentication. This flaw allows a remote user authenticated with a password to register a false second authentication factor along with an existing one and bypass
- affected < 22.0.10fixed 22.0.10
A flaw was found in Keycloak's redirect_uri validation logic. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to the theft of an access token, making it possible for the attacker to impersonate other users. It is very similar to C
- affected < 22.0.10fixed 22.0.10
A flaw was found in Keycloak's OIDC component in the "checkLoginIframe," which allows unvalidated cross-origin messages. This flaw allows attackers to coordinate and send millions of requests in seconds using simple code, significantly impacting the application's availability wit
- CVE-2024-1132Apr 17, 2024affected < 22.0.10fixed 22.0.10
A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. Th
- CVE-2024-1722Feb 27, 2024affected < 24.0.0fixed 24.0.0
A flaw was found in Keycloak. In certain conditions, this issue may allow a remote unauthenticated attacker to block other accounts from logging in.
- affected < 23.0.3fixed 23.0.3
A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users.
- affected < 21.1.2fixed 21.1.2
Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an authorization admin into granting consent to a malicious OAuth client or possible
- affected < 23.0.3fixed 23.0.3
A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the re
Page 3 of 4