VYPR

Keycloak

by Red Hat

Source repositories

CVEs (45)

  • CVE-2019-3868Apr 24, 2019
    risk 0.00cvss epss 0.01

    Keycloak up to version 6.0.0 allows the end user token (access or id token JWT) to be used as the session cookie for browser sessions for OIDC. As a result an attacker with access to service provider backend could hijack user’s browser session.

  • CVE-2018-14655Nov 13, 2018
    risk 0.00cvss epss 0.01

    A flaw was found in Keycloak 3.4.3.Final, 4.0.0.Beta2, 4.3.0.Final. When using 'response_mode=form_post' it is possible to inject arbitrary Javascript-Code via the 'state'-parameter in the authentication URL. This allows an XSS-Attack upon succesfully login.

  • CVE-2018-14658Nov 13, 2018
    risk 0.00cvss epss 0.01

    A flaw was found in JBOSS Keycloak 3.2.1.Final. The Redirect URL for both Login and Logout are not normalized in org.keycloak.protocol.oidc.utils.RedirectUtils before the redirect url is verified. This can lead to an Open Redirection attack

  • CVE-2018-14657Nov 13, 2018
    risk 0.00cvss epss 0.01

    A flaw was found in Keycloak 4.2.1.Final, 4.3.0.Final. When TOPT enabled, an improper implementation of the Brute Force detection algorithm will not enforce its protection measures.

  • CVE-2017-2582MedJul 26, 2018
    risk 0.00cvss 6.5epss 0.02

    It was found that while parsing the SAML messages the StaxParserUtil class of keycloak before 2.5.1 replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by…

Page 3 of 3