Maven package
org.keycloak/keycloak-services
pkg:maven/org.keycloak/keycloak-services
Vulnerabilities (73)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-1438 | — | <= 21.0.0 | — | Sep 20, 2023 | A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability. | ||
| CVE-2023-0264 | — | < 21.0.1 | 21.0.1 | Aug 4, 2023 | A flaw was found in Keycloaks OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session t | ||
| CVE-2022-4361 | — | < 21.1.2 | 21.1.2 | Jul 7, 2023 | Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the SAML or OIDC providers. The vulnerability can allow an attacker to execute malicious scripts by setting the AssertionConsumerServiceURL value or the redirect_ur | ||
| CVE-2022-1274 | — | < 20.0.5 | 20.0.5 | Mar 29, 2023 | A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users. | ||
| CVE-2021-3754 | — | < 24.0.1 | 24.0.1 | Aug 26, 2022 | A flaw was found in keycloak where an attacker is able to register himself with the username same as the email ID of any existing user. This may cause trouble in getting password recovery email in case the user forgets the password. | ||
| CVE-2022-1245 | — | < 18.0.0 | 18.0.0 | Jul 7, 2022 | A privilege escalation flaw was found in the token exchange feature of keycloak. Missing authorization allows a client application holding a valid access token to exchange tokens for any target client by passing the client_id of the target. This could allow a client to gain unaut | ||
| CVE-2021-4133 | — | < 15.1.1 | 15.1.1 | Jan 25, 2022 | A flaw was found in Keycloak in versions from 12.0.0 and before 15.1.1 which allows an attacker with any existing user account to create new default user accounts via the administrative REST API even when new user registration is disabled. | ||
| CVE-2021-3424 | — | < 18.0.0 | 18.0.0 | Jun 1, 2021 | A flaw was found in keycloak as shipped in Red Hat Single Sign-On 7.4 where IDN homograph attacks are possible. A malicious user can register himself with a name already registered and trick admin to grant him extra privileges. | ||
| CVE-2020-10776 | — | < 12.0.0 | 12.0.0 | Nov 17, 2020 | A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack. | ||
| CVE-2014-3652 | — | < 1.1.0.Beta1 | 1.1.0.Beta1 | Dec 15, 2019 | JBoss KeyCloak: Open redirect vulnerability via failure to validate the redirect URL. | ||
| CVE-2014-3655 | — | < 1.0.2.Final | 1.0.2.Final | Nov 13, 2019 | JBoss KeyCloak is vulnerable to soft token deletion via CSRF | ||
| CVE-2018-10894 | — | < 4.4.0.Final | 4.4.0.Final | Aug 1, 2018 | It was found that SAML authentication in Keycloak 3.4.3.Final incorrectly authenticated expired certificates. A malicious user could use this to access unauthorized data or possibly conduct further attacks. | ||
| CVE-2014-3709 | Hig | 8.8 | < 1.0.3.Final | 1.0.3.Final | Oct 18, 2017 | The org.keycloak.services.resources.SocialResource.callback method in JBoss KeyCloak before 1.0.3.Final allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging lack of CSRF protection. |
- CVE-2022-1438Sep 20, 2023affected <= 21.0.0
A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability.
- CVE-2023-0264Aug 4, 2023affected < 21.0.1fixed 21.0.1
A flaw was found in Keycloaks OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session t
- CVE-2022-4361Jul 7, 2023affected < 21.1.2fixed 21.1.2
Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the SAML or OIDC providers. The vulnerability can allow an attacker to execute malicious scripts by setting the AssertionConsumerServiceURL value or the redirect_ur
- CVE-2022-1274Mar 29, 2023affected < 20.0.5fixed 20.0.5
A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users.
- CVE-2021-3754Aug 26, 2022affected < 24.0.1fixed 24.0.1
A flaw was found in keycloak where an attacker is able to register himself with the username same as the email ID of any existing user. This may cause trouble in getting password recovery email in case the user forgets the password.
- CVE-2022-1245Jul 7, 2022affected < 18.0.0fixed 18.0.0
A privilege escalation flaw was found in the token exchange feature of keycloak. Missing authorization allows a client application holding a valid access token to exchange tokens for any target client by passing the client_id of the target. This could allow a client to gain unaut
- CVE-2021-4133Jan 25, 2022affected < 15.1.1fixed 15.1.1
A flaw was found in Keycloak in versions from 12.0.0 and before 15.1.1 which allows an attacker with any existing user account to create new default user accounts via the administrative REST API even when new user registration is disabled.
- CVE-2021-3424Jun 1, 2021affected < 18.0.0fixed 18.0.0
A flaw was found in keycloak as shipped in Red Hat Single Sign-On 7.4 where IDN homograph attacks are possible. A malicious user can register himself with a name already registered and trick admin to grant him extra privileges.
- CVE-2020-10776Nov 17, 2020affected < 12.0.0fixed 12.0.0
A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack.
- CVE-2014-3652Dec 15, 2019affected < 1.1.0.Beta1fixed 1.1.0.Beta1
JBoss KeyCloak: Open redirect vulnerability via failure to validate the redirect URL.
- CVE-2014-3655Nov 13, 2019affected < 1.0.2.Finalfixed 1.0.2.Final
JBoss KeyCloak is vulnerable to soft token deletion via CSRF
- CVE-2018-10894Aug 1, 2018affected < 4.4.0.Finalfixed 4.4.0.Final
It was found that SAML authentication in Keycloak 3.4.3.Final incorrectly authenticated expired certificates. A malicious user could use this to access unauthorized data or possibly conduct further attacks.
- affected < 1.0.3.Finalfixed 1.0.3.Final
The org.keycloak.services.resources.SocialResource.callback method in JBoss KeyCloak before 1.0.3.Final allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging lack of CSRF protection.
Page 4 of 4