Lucene search

K

Keycloak Security Vulnerabilities

cve
cve

CVE-2020-10686

A flaw was found in Keycloak version 8.0.2 and 9.0.0, and was fixed in Keycloak version 9.0.1, where a malicious user registers as oneself. The attacker could then use the remove devices form to post different credential IDs and possibly remove MFA devices for other...

4.7CVSS

4.6AI Score

0.001EPSS

2020-05-04 09:15 PM
30
3
cve
cve

CVE-2022-4361

Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the SAML or OIDC providers. The vulnerability can allow an attacker to execute malicious scripts by setting the AssertionConsumerServiceURL value or the...

10CVSS

5.7AI Score

0.0005EPSS

2023-07-07 08:15 PM
70
cve
cve

CVE-2020-1723

A flaw was found in Keycloak Gatekeeper (Louketo). The logout endpoint can be abused to redirect logged-in users to arbitrary web pages. Affected versions of Keycloak Gatekeeper (Louketo): 6.0.1,...

6.1CVSS

6.1AI Score

0.001EPSS

2021-01-28 08:15 PM
27
5
cve
cve

CVE-2019-14820

It was found that keycloak before version 8.0.0 exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be invoked via a specially-crafted URL. This vulnerability could allow an attacker to access unauthorized...

4.3CVSS

4.4AI Score

0.001EPSS

2020-01-08 03:15 PM
74
cve
cve

CVE-2014-3652

JBoss KeyCloak: Open redirect vulnerability via failure to validate the redirect...

6.1CVSS

6.2AI Score

0.001EPSS

2019-12-15 10:15 PM
69
cve
cve

CVE-2014-3656

JBoss KeyCloak: XSS in...

6.1CVSS

5.9AI Score

0.001EPSS

2019-12-10 02:15 PM
33
cve
cve

CVE-2019-14832

A flaw was found in the Keycloak REST API before version 8.0.0 where it would permit user access from a realm the user was not configured. An authenticated attacker with knowledge of a user id could use this flaw to access unauthorized information or to carry out further...

7.5CVSS

7AI Score

0.001EPSS

2019-10-15 07:15 PM
54
cve
cve

CVE-2017-12161

It was found that keycloak before 3.4.2 final would permit misuse of a client-side /etc/hosts entry to spoof a URL in a password reset request. An attacker could use this flaw to craft a malicious password reset request and gain a valid reset token, leading to information disclosure or further...

8.8CVSS

8.3AI Score

0.003EPSS

2018-02-21 06:29 PM
53
cve
cve

CVE-2017-15112

keycloak-httpd-client-install versions before 0.8 allow users to insecurely pass password through command line, leaking it via command history and process info to other local...

7.8CVSS

6.2AI Score

0.0004EPSS

2018-01-20 12:29 AM
28
cve
cve

CVE-2017-15111

keycloak-httpd-client-install versions before 0.8 insecurely creates temporary file allowing local attackers to overwrite other files via symbolic...

5.5CVSS

5.4AI Score

0.0004EPSS

2018-01-20 12:29 AM
37
cve
cve

CVE-2014-3651

JBoss KeyCloak before 1.0.3.Final allows remote attackers to cause a denial of service (resource consumption) via a large value in the size parameter to auth/qrcode, related to QR code...

7.5CVSS

7.4AI Score

0.001EPSS

2017-12-29 03:29 PM
43
cve
cve

CVE-2017-12159

It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further...

7.5CVSS

6.9AI Score

0.003EPSS

2017-10-26 05:29 PM
40
cve
cve

CVE-2017-12158

It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious...

5.4CVSS

5.1AI Score

0.002EPSS

2017-10-26 05:29 PM
36
cve
cve

CVE-2014-3709

The org.keycloak.services.resources.SocialResource.callback method in JBoss KeyCloak before 1.0.3.Final allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging lack of CSRF...

8.8CVSS

8.7AI Score

0.004EPSS

2017-10-18 02:29 PM
23
cve
cve

CVE-2017-7474

It was found that the Keycloak Node.js adapter 2.5 - 3.0 did not handle invalid tokens correctly. An attacker could use this flaw to bypass authentication and gain access to restricted information, or to possibly conduct further...

9.8CVSS

9.6AI Score

0.002EPSS

2017-05-12 07:29 PM
33