Keycloak
Sign in to watchby N/a
CVEs (36)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-10770 | 0.10 | — | 0.92 | Dec 15, 2020 | A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack. | ||
| CVE-2023-4918 | 0.00 | — | 0.00 | Sep 12, 2023 | A flaw was found in the Keycloak package, more specifically org.keycloak.userprofile. When a user registers itself through registration flow, the "password" and "password-confirm" field from the form will occur as regular user attributes. All users and clients with proper rights and roles are able to read users attributes, allowing a malicious user with minimal access to retrieve the users passwords in clear text, jeopardizing their environment. | ||
| CVE-2023-1664 | 0.00 | — | 0.00 | May 26, 2023 | A flaw was found in Keycloak. This flaw depends on a non-default configuration "Revalidate Client Certificate" to be enabled and the reverse proxy is not validating the certificate before Keycloak. Using this method an attacker may choose the certificate which will be validated by the server. If this happens and the KC_SPI_TRUSTSTORE_FILE_FILE variable is missing/misconfigured, any trustfile may be accepted with the logging information of "Cannot validate client certificate trust: Truststore not available". This may not impact availability as the attacker would have no access to the server, but consumer applications Integrity or Confidentiality may be impacted considering a possible access to them. Considering the environment is correctly set to use "Revalidate Client Certificate" this flaw is avoidable. | ||
| CVE-2022-1274 | 0.00 | — | 0.01 | Mar 29, 2023 | A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users. | ||
| CVE-2022-2237 | 0.00 | — | 0.00 | Mar 27, 2023 | A flaw was found in the Keycloak Node.js Adapter. This flaw allows an attacker to benefit from an Open Redirect vulnerability in the checkSso function. | ||
| CVE-2022-2256 | 0.00 | — | 0.01 | Sep 1, 2022 | A Stored Cross-site scripting (XSS) vulnerability was found in keycloak as shipped in Red Hat Single Sign-On 7. This flaw allows a privileged attacker to execute malicious scripts in the admin console, abusing the default roles functionality. | ||
| CVE-2022-0225 | 0.00 | — | 0.01 | Aug 26, 2022 | A flaw was found in Keycloak. This flaw allows a privileged attacker to use the malicious payload as the group name while creating a new group from the admin console, leading to a stored Cross-site scripting (XSS) attack. | ||
| CVE-2021-3632 | 0.00 | — | 0.01 | Aug 26, 2022 | A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow. | ||
| CVE-2021-3754 | 0.00 | — | 0.12 | Aug 26, 2022 | A flaw was found in keycloak where an attacker is able to register himself with the username same as the email ID of any existing user. This may cause trouble in getting password recovery email in case the user forgets the password. | ||
| CVE-2021-3856 | 0.00 | — | 0.00 | Aug 26, 2022 | ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader. By sending requests for theme resources with a relative path from an external HTTP client, the client will receive the content of random files if available. | ||
| CVE-2020-35509 | 0.00 | — | 0.00 | Aug 23, 2022 | A flaw was found in keycloak affecting versions 11.0.3 and 12.0.0. An expired certificate would be accepted by the direct-grant authenticator because of missing time stamp validations. The highest threat from this vulnerability is to data confidentiality and integrity. | ||
| CVE-2021-3827 | 0.00 | — | 0.00 | Aug 23, 2022 | A flaw was found in keycloak, where the default ECP binding flow allows other authentication flows to be bypassed. By exploiting this behavior, an attacker can bypass the MFA authentication by sending a SOAP request with an AuthnRequest and Authorization header with the user's credentials. The highest threat from this vulnerability is to confidentiality and integrity. | ||
| CVE-2021-3513 | 0.00 | — | 0.00 | Aug 22, 2022 | A flaw was found in keycloak where a brute force attack is possible even when the permanent lockout feature is enabled. This is due to a wrong error message displayed when wrong credentials are entered. The highest threat from this vulnerability is to confidentiality. | ||
| CVE-2022-2668 | 0.00 | — | 0.00 | Aug 5, 2022 | An issue was discovered in Keycloak that allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled | ||
| CVE-2022-1245 | 0.00 | — | 0.00 | Jul 7, 2022 | A privilege escalation flaw was found in the token exchange feature of keycloak. Missing authorization allows a client application holding a valid access token to exchange tokens for any target client by passing the client_id of the target. This could allow a client to gain unauthorized access to additional services. | ||
| CVE-2021-3461 | 0.00 | — | 0.00 | Apr 1, 2022 | A flaw was found in keycloak where keycloak may fail to logout user session if the logout request comes from external SAML identity provider and Principal Type is set to Attribute [Name]. | ||
| CVE-2021-4133 | 0.00 | — | 0.00 | Jan 25, 2022 | A flaw was found in Keycloak in versions from 12.0.0 and before 15.1.1 which allows an attacker with any existing user account to create new default user accounts via the administrative REST API even when new user registration is disabled. | ||
| CVE-2021-3424 | 0.00 | — | 0.00 | Jun 1, 2021 | A flaw was found in keycloak as shipped in Red Hat Single Sign-On 7.4 where IDN homograph attacks are possible. A malicious user can register himself with a name already registered and trick admin to grant him extra privileges. | ||
| CVE-2021-20195 | 0.00 | — | 0.00 | May 28, 2021 | A flaw was found in keycloak in versions before 13.0.0. A Self Stored XSS attack vector escalating to a complete account takeover is possible due to user-supplied data fields not being properly encoded and Javascript code being used to process the data. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | ||
| CVE-2020-27826 | 0.00 | — | 0.00 | May 28, 2021 | A flaw was found in Keycloak before version 12.0.0 where it is possible to update the user's metadata attributes using Account REST API. This flaw allows an attacker to change its own NameID attribute to impersonate the admin user for any particular application. |
Page 1 of 2