be.jidoka:jdk-keycloak-admin (>=2.0.0 <=2.4.0), ch.iterial.keycloak.plugins:keycloak-directus-plugin (>=0.1.0 <=0.7.0) +716 more potentially affected by CVE-2024-4028 via org.keycloak:keycloak-core (>=1.0-alpha-1 <=26.1.2)

org.keycloak:keycloak-core MAVEN version =1.0-alpha-1, =2.0.0, =0.1.0, =0.0.1, =1.5.1, =1.5.1, =1.6.2, =1.6.2, =1.5.2, =1.5.2, =1.7.2, =1.7.2, =1.0.22, =1.0.22, =1.4.3, =1.4.3, =1.6.5 and more Source cves: CVE-2024-4028 Source advisory: OSV:GHSA-Q4XQ-445G-G6CH...

be.jidoka:jdk-keycloak-admin (>=2.0.0 <=2.4.0), ch.iterial.keycloak.plugins:keycloak-directus-plugin (>=0.1.0 <=0.7.0) +679 more potentially affected by CVE-2024-10039 via org.keycloak:keycloak-core (>=1.0-alpha-1 <=26.0.5)

org.keycloak:keycloak-core MAVEN version =1.0-alpha-1, =2.0.0, =0.1.0, =0.0.1, =1.5.1, =1.5.1, =1.6.2, =1.6.2, =1.5.2, =1.5.2, =1.7.2, =1.7.2, =1.0.22, =1.0.22, =1.4.3, =1.4.3, =1.6.5 and more Source cves: CVE-2024-10039 Source advisory: OSV:GHSA-93WW-43RR-79V3...

keycloak-core: mTLS passthrough

A vulnerability was found in Keycloak. Deployments of Keycloak with a reverse proxy not using pass-through termination of TLS, with mTLS enabled, are affected. This issue may allow an attacker on the local network to authenticate as any user or client that leverages mTLS as the authentication...

be.jidoka:jdk-keycloak-admin (>=2.0.0 <=2.3.0), cn.sparrowmini:sparrow-keycloak-adapter (>=0.0.1 <=0.0.2) +639 more potentially affected by CVE-2024-7318 via org.keycloak:keycloak-core (>=1.0-alpha-1 <=24.0.5)

org.keycloak:keycloak-core MAVEN version =1.0-alpha-1, =2.0.0, =0.0.1, =1.5.1, =1.5.1, =1.6.2, =1.6.2, =1.5.2, =1.5.2, =1.7.2, =1.7.2, =1.0.22, =1.0.22, =1.4.3, =1.4.3, =1.2.9, =1.6.0 and more Source cves: CVE-2024-7318 Source advisory: OSV:GHSA-XMMM-JW76-Q7VG...

be.jidoka:jdk-keycloak-admin (>=2.0.0 <=2.3.0), cn.sparrowmini:sparrow-keycloak-adapter (>=0.0.1 <=0.0.2) +610 more potentially affected by CVE-2023-6841 via org.keycloak:keycloak-core (>=1.0-alpha-1 <=23.0.7)

org.keycloak:keycloak-core MAVEN version =1.0-alpha-1, =2.0.0, =0.0.1, =1.5.1, =1.5.1, =1.6.2, =1.6.2, =1.5.2, =1.5.2, =1.7.2, =1.7.2, =1.0.22, =1.0.22, =1.4.3, =1.4.3, =1.2.9, =1.6.0 and more Source cves: CVE-2023-6841 Source advisory: OSV:GHSA-W97F-W3HQ-36G2...

be.jidoka:jdk-keycloak-admin (>=2.0.0 <=2.3.0), cn.sparrowmini:sparrow-keycloak-adapter (>=0.0.1 <=0.0.2) +639 more potentially affected by CVE-2024-7260 via org.keycloak:keycloak-core (>=1.0-alpha-1 <=24.0.5)

org.keycloak:keycloak-core MAVEN version =1.0-alpha-1, =2.0.0, =0.0.1, =1.5.1, =1.5.1, =1.6.2, =1.6.2, =1.5.2, =1.5.2, =1.7.2, =1.7.2, =1.0.22, =1.0.22, =1.4.3, =1.4.3, =1.2.9, =1.6.0 and more Source cves: CVE-2024-7260 Source advisory: OSV:GHSA-G4GC-RH26-M3P5...

keycloak-core: Open Redirect on Account page

An open redirect vulnerability was found in Keycloak. A specially crafted URL can be constructed where the referrer and referreruri parameters are made to trick a user to visit a malicious webpage. A trusted URL can trick users and automation into believing that the URL is safe, when, in fact, it...

Credential Leakage

org.keycloak, keycloak-core is vulnerable to Credential Leakage. The vulnerability is due to a lack of proper validation and enforcement when administrators change the LDAP Connection URL without requiring re-entry of the currently configured LDAP bind credentials. The vulnerability allows an...

be.jidoka:jdk-keycloak-admin (>=2.0.0 <=2.3.0), cn.sparrowmini:sparrow-keycloak-adapter (>=0.0.1 <=0.0.2) +587 more potentially affected by CVE-2023-6927 via org.keycloak:keycloak-core (>=1.0-alpha-1 <=23.0.3)

org.keycloak:keycloak-core MAVEN version =1.0-alpha-1, =2.0.0, =0.0.1, =1.5.1, =1.5.1, =1.6.2, =1.6.2, =1.5.2, =1.5.2, =1.7.2, =1.7.2, =1.0.22, =1.0.22, =1.4.3, =1.4.3, =1.2.9, =1.6.0 and more Source cves: CVE-2023-6927 Source advisory: OSV:GHSA-9VM7-V8WJ-3FQW...

GHSA-9VM7-V8WJ-3FQW keycloak-core: open redirect via "form_post.jwt" JARM response mode

An incomplete fix was found in Keycloak Core patch. An attacker can steal authorization codes or tokens from clients using a wildcard in the JARM response mode "formpost.jwt". It is observed that changing the responsemode parameter in the original proof of concept from "formpost" to "formpost.jwt...

CVE-2023-6920

An incomplete fix was found in the Keycloak Core patch. An attacker can steal authorization codes or tokens from clients using a wildcard in the JARM response mode "formpost.jwt". Changing the responsemode parameter in the original proof of concept from "formpost" to "formpost.jwt" can bypass the...

be.jidoka:jdk-keycloak-admin (>=2.0.0 <=2.2.0), cn.sparrowmini:sparrow-keycloak-adapter (>=0.0.1 <=0.0.2) +474 more potentially affected by CVE-2023-0105 via org.keycloak:keycloak-core (>=1.0-alpha-1 <=22.0.0)

org.keycloak:keycloak-core MAVEN version =1.0-alpha-1, =2.0.0, =0.0.1, =1.5.1, =1.5.1, =1.6.2, =1.6.2, =1.5.2, =1.5.2, =1.7.2, =1.7.2, =1.0.22, =1.0.22, =1.4.3, =1.4.3, =1.2.9, =1.5.0 and more Source cves: CVE-2023-0105 Source advisory: OSV:GHSA-C7XW-P58W-H6FJ...

be.jidoka:jdk-keycloak-admin (>=2.0.0 <=2.2.0), cn.sparrowmini:sparrow-keycloak-adapter (>=0.0.1 <=0.0.2) +451 more potentially affected by CVE-2023-1664 via org.keycloak:keycloak-core (>=1.0-alpha-1 <=21.1.1)

org.keycloak:keycloak-core MAVEN version =1.0-alpha-1, =2.0.0, =0.0.1, =1.5.1, =1.5.1, =1.6.2, =1.6.2, =1.5.2, =1.5.2, =1.7.2, =1.7.2, =1.0.22, =1.0.22, =1.4.3, =1.4.3, =1.2.9, =1.5.0 and more Source cves: CVE-2023-1664 Source advisory: OSV:GHSA-5CC8-PGP5-7MPM...

com.artipie:artipie (>=v0.28.1 <=v0.30.1), com.avast.grpc.jwt:grpc-java-jwt-keycloak (>=0.5.8 <=0.5.9) +346 more potentially affected by CVE-2023-0091 via org.keycloak:keycloak-core (>=1.0-alpha-1 <=20.0.2)

org.keycloak:keycloak-core MAVEN version =1.0-alpha-1, =v0.28.1, =0.5.8, =0.2.0, =0.2.0, =0.2.0, =0.2.0, =0.8.4, =7.0.0-M3, =7.0.0-M2, =7.0.0-M2, =7.0.0-M3, =7.0.0-M3, =7.0.0-M3, =7.0.0-M3, =7.0.0-M7 and more Source cves: CVE-2023-0091 Source advisory: OSV:GHSA-V436-Q368-HVGG...

com.blazebit:blaze-storage-client-keycloak (>=0.2.0 <=0.3.3), com.blazebit:blaze-storage-modules-authentication-keycloak (>=0.2.0 <=0.3.3) +257 more potentially affected by CVE-2022-0225 via org.keycloak:keycloak-core (>=1.0-alpha-1 <=1.9.8.Final)

org.keycloak:keycloak-core MAVEN version =1.0-alpha-1, =0.2.0, =0.2.0, =0.2.0, =0.2.0, =0.8.4, =0.2.1, =0.13, =1.1.0.Final, =1.2.2.Final, =1.2.2.Final, =1.0.0.Beta2, =1.2.1.Final, =1.1.2.Final, =1.1.0.Final, =1.2.1.Final and more Source cves: CVE-2022-0225 Source advisory: OSV:GHSA-755V-R4X4-QF7M...

Cross-Site Scripting (XSS)

Keycloak Core is vulnerable to reflected cross-site scripting. The vulnerability exists via the POST http requests due to lack of escaping which allows a malicious attacker to inject and execute arbitrary javascript...

Insecure Session Management

keycloak-core uses an insecure session management. The application does not require re-authentication upon a successful password change. in the event where an existing session can be obtained by an attacker, a password change will not cause the attacker's session to be invalidated...

Cross-site Scripting (XSS)

keycloak-core is vulnerable to cross-site scripting XSS. The vulnerability exists as the external applications Application Links used in the admin console are not validated...

GHSA-959Q-32G8-VVP7 Moderate severity vulnerability that affects org.keycloak:keycloak-core

It was found that keycloak before 3.4.2 final would permit misuse of a client-side /etc/hosts entry to spoof a URL in a password reset request. An attacker could use this flaw to craft a malicious password reset request and gain a valid reset token, leading to information disclosure or further...

GHSA-C77R-6F64-478Q keycloak-core discloses system properties

It was found that while parsing the SAML messages the StaxParserUtil class of keycloak before 2.5.1 replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML...