10 matches found
Improper Certificate Validation
Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Certificate Validation via packed self-attestation in WebAuthn registration. An attacker can bypass...
GHSA-7G5X-9C4V-4W5R Keycloak REST Services has a WebAuthn Attestation Statement Verification Bypass
A flaw was found in Keycloak’s WebAuthn registration component. This vulnerability allows an attacker to bypass the configured attestation policy and register untrusted or forged authenticators via submission of an attestation object with fmt: "none", even when the realm is configured to require...
Keycloak REST Services has a WebAuthn Attestation Statement Verification Bypass
A flaw was found in Keycloak’s WebAuthn registration component. This vulnerability allows an attacker to bypass the configured attestation policy and register untrusted or forged authenticators via submission of an attestation object with fmt: "none", even when the realm is configured to require...
CVE-2025-12150
Keycloak WebAuthn registration component is affected by CVE-2025-12150. An attacker can bypass the realm’s attestation policy by submitting an attestation object with fmt: "none", enabling registration of untrusted/ forged authenticators and weakening authentication integrity. The issue arises de...
CVE-2025-12150 Org.keycloak/keycloak-services: webauthn attestation statement verification bypass
A flaw was found in Keycloak’s WebAuthn registration component. This vulnerability allows an attacker to bypass the configured attestation policy and register untrusted or forged authenticators via submission of an attestation object with fmt: "none", even when the realm is configured to require...
CVE-2026-22696
CVE-2026-22696 concerns the dcap-qvl library used for SGX/TDX quote verification. The issue is a gap in cryptographic verification where QE Identity collateral is fetched from PCCS but the QE Identity signature is not verified against its certificate chain, and QE Report policy checks are not enf...
org.keycloak/keycloak-services: WebAuthn Attestation Statement Verification Bypass
A flaw was found in Keycloak’s WebAuthn registration component. This vulnerability allows an attacker to bypass the configured attestation policy and register untrusted or forged authenticators via submission of an attestation object with fmt: "none", even when the realm is configured to require...
Moderate: Red Hat Security Advisory: Red Hat build of Keycloak 26.4.4 Images Security Update
New images are available for Red Hat build of Keycloak 26.4.4 and Red Hat build of Keycloak 26.4.4 Operator, running on OpenShift Container Platform Red Hat build of Keycloak is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat...
org.keycloak/keycloak-services: WebAuthn Attestation Statement Verification Bypass
A flaw was found in Keycloak’s WebAuthn registration component. This vulnerability allows an attacker to bypass the configured attestation policy and register untrusted or forged authenticators via submission of an attestation object with fmt: "none", even when the realm is configured to require...
SUSE CVE-2021-26311
In the AMD SEV/SEV-ES feature, memory can be rearranged in the guest address space that is not detected by the attestation mechanism which could be used by a malicious hypervisor to potentially lead to arbitrary code execution within the guest VM if a malicious administrator has access to...