Lucene search

K
RedhatKeycloak

93 matches found

CVE
CVE
added 2023/09/25 8:15 p.m.5272 views

CVE-2022-4137

A reflected cross-site scripting (XSS) vulnerability was found in the 'oob' OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be...

8.1CVSS6.2AI score0.00393EPSS
CVE
CVE
added 2023/12/18 4:15 p.m.3808 views

CVE-2023-48795

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connecti...

5.9CVSS6.7AI score0.67991EPSS
CVE
CVE
added 2023/09/20 2:15 p.m.2795 views

CVE-2022-1438

A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability.

6.4CVSS5.5AI score0.00152EPSS
CVE
CVE
added 2022/08/23 4:15 p.m.2296 views

CVE-2021-3827

A flaw was found in keycloak, where the default ECP binding flow allows other authentication flows to be bypassed. By exploiting this behavior, an attacker can bypass the MFA authentication by sending a SOAP request with an AuthnRequest and Authorization header with the user's credentials. The high...

6.8CVSS6.7AI score0.00092EPSS
CVE
CVE
added 2024/04/17 2:15 p.m.388 views

CVE-2024-1132

A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. This flaw affects any...

8.1CVSS5.7AI score0.00177EPSS
CVE
CVE
added 2023/01/13 6:15 a.m.301 views

CVE-2022-3782

keycloak: path traversal via double URL encoding. A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the...

9.1CVSS8.9AI score0.00097EPSS
CVE
CVE
added 2024/04/25 4:15 p.m.281 views

CVE-2023-6787

A flaw was found in Keycloak that occurs from an error in the re-authentication mechanism within org.keycloak.authentication. This flaw allows hijacking an active Keycloak session by triggering a new authentication process with the query parameter "prompt=login," prompting the user to re-enter thei...

8.8CVSS6.4AI score0.00423EPSS
CVE
CVE
added 2023/12/18 11:15 p.m.274 views

CVE-2023-6927

A flaw was found in Keycloak. This issue may allow an attacker to steal authorization codes or tokens from clients using a wildcard in the JARM response mode "form_post.jwt" which could be used to bypass the security patch implemented to address CVE-2023-6134.

6.1CVSS5.3AI score0.01836EPSS
CVE
CVE
added 2023/09/20 3:15 p.m.260 views

CVE-2022-3916

A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to ...

6.8CVSS7.1AI score0.00226EPSS
CVE
CVE
added 2023/08/04 6:15 p.m.249 views

CVE-2023-0264

A flaw was found in Keycloaks OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session tokens. This issue c...

5CVSS4.5AI score0.03396EPSS
CVE
CVE
added 2024/01/26 3:15 p.m.247 views

CVE-2023-6291

A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users.

7.1CVSS6.5AI score0.00196EPSS
CVE
CVE
added 2024/09/09 7:15 p.m.238 views

CVE-2024-7341

A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication...

7.1CVSS6.9AI score0.01149EPSS
CVE
CVE
added 2024/09/09 7:15 p.m.224 views

CVE-2024-7260

An open redirect vulnerability was found in Keycloak. A specially crafted URL can be constructed where the referrer and referrer_uri parameters are made to trick a user to visit a malicious webpage. A trusted URL can trick users and automation into believing that the URL is safe, when, in fact, it ...

6.1CVSS6.2AI score0.0015EPSS
CVE
CVE
added 2020/12/15 8:15 p.m.213 views

CVE-2020-10770

A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack.

5.3CVSS4.9AI score0.92282EPSS
CVE
CVE
added 2022/07/08 12:15 a.m.206 views

CVE-2022-1245

A privilege escalation flaw was found in the token exchange feature of keycloak. Missing authorization allows a client application holding a valid access token to exchange tokens for any target client by passing the client_id of the target. This could allow a client to gain unauthorized access to a...

9.8CVSS9.4AI score0.00396EPSS
CVE
CVE
added 2024/09/10 5:15 p.m.200 views

CVE-2023-6841

A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited,an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values.

7.5CVSS7.3AI score0.00269EPSS
CVE
CVE
added 2023/03/29 9:15 p.m.191 views

CVE-2022-1274

A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users.

5.4CVSS5.2AI score0.00785EPSS
CVE
CVE
added 2022/03/25 7:15 p.m.190 views

CVE-2021-20323

A POST based reflected Cross Site Scripting vulnerability on has been identified in Keycloak.

6.1CVSS6AI score0.7008EPSS
CVE
CVE
added 2020/05/15 7:15 p.m.166 views

CVE-2020-1758

A flaw was found in Keycloak in versions before 10.0.0, where it does not perform the TLS hostname verification while sending emails using the SMTP server. This flaw allows an attacker to perform a man-in-the-middle (MITM) attack.

5.9CVSS5.2AI score0.00254EPSS
CVE
CVE
added 2023/12/14 6:15 p.m.165 views

CVE-2023-6563

An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the "consents" tab ...

7.7CVSS7.3AI score0.00304EPSS
CVE
CVE
added 2023/12/14 10:15 p.m.160 views

CVE-2023-6134

A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the result of an incomple...

5.4CVSS5.3AI score0.01836EPSS
CVE
CVE
added 2022/01/25 8:15 p.m.158 views

CVE-2021-4133

A flaw was found in Keycloak in versions from 12.0.0 and before 15.1.1 which allows an attacker with any existing user account to create new default user accounts via the administrative REST API even when new user registration is disabled.

8.8CVSS8.3AI score0.00134EPSS
CVE
CVE
added 2020/03/24 2:15 p.m.153 views

CVE-2020-1744

A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle this events.

6.8CVSS5.2AI score0.00333EPSS
CVE
CVE
added 2021/05/28 11:15 a.m.153 views

CVE-2020-27826

A flaw was found in Keycloak before version 12.0.0 where it is possible to update the user's metadata attributes using Account REST API. This flaw allows an attacker to change its own NameID attribute to impersonate the admin user for any particular application.

4.9CVSS3.9AI score0.00166EPSS
CVE
CVE
added 2023/01/13 6:15 a.m.153 views

CVE-2023-0091

A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information.

3.8CVSS3.7AI score0.00069EPSS
CVE
CVE
added 2018/07/26 5:29 p.m.144 views

CVE-2017-2582

It was found that while parsing the SAML messages the StaxParserUtil class of keycloak before 2.5.1 replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML reque...

6.5CVSS6.3AI score0.00663EPSS
CVE
CVE
added 2022/04/26 7:15 p.m.143 views

CVE-2022-1466

Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted.

6.5CVSS6.2AI score0.00255EPSS
CVE
CVE
added 2020/05/13 7:15 p.m.139 views

CVE-2020-1714

A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code...

8.8CVSS8.5AI score0.02152EPSS
CVE
CVE
added 2023/10/04 11:15 a.m.138 views

CVE-2023-2422

A flaw was found in Keycloak. A Keycloak server configured to support mTLS authentication for OAuth/OpenID clients does not properly verify the client certificate chain. A client that possesses a proper certificate can authorize itself as any other client, therefore, access data that belongs to oth...

7.1CVSS6.5AI score0.00217EPSS
CVE
CVE
added 2020/11/17 2:15 a.m.137 views

CVE-2020-14389

It was found that Keycloak before version 12.0.0 would permit a user with only view-profile role to manage the resources in the new account console, allowing access and modification of data the user was not intended to have.

8.1CVSS7.7AI score0.00148EPSS
CVE
CVE
added 2023/01/13 6:15 a.m.135 views

CVE-2023-0105

A flaw was found in Keycloak. This flaw allows impersonation and lockout due to the email trust not being handled correctly in Keycloak. An attacker can shadow other users with the same email and lockout or impersonate them.

6.5CVSS6.1AI score0.00088EPSS
CVE
CVE
added 2023/07/07 8:15 p.m.131 views

CVE-2022-4361

Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the SAML or OIDC providers. The vulnerability can allow an attacker to execute malicious scripts by setting the AssertionConsumerServiceURL value or the redirect_uri.

10CVSS5.7AI score0.00311EPSS
CVE
CVE
added 2019/06/12 2:29 p.m.130 views

CVE-2019-3875

A vulnerability was found in keycloak before 6.0.2. The X.509 authenticator supports the verification of client certificates through the CRL, where the CRL list can be obtained from the URL provided in the certificate itself (CDP) or through the separately configured path. The CRL are often availab...

6.5CVSS5AI score0.00047EPSS
CVE
CVE
added 2024/02/29 1:43 a.m.129 views

CVE-2024-1722

A flaw was found in Keycloak. In certain conditions, this issue may allow a remote unauthenticated attacker to block other accounts from logging in.

5.3CVSS3.9AI score0.00235EPSS
CVE
CVE
added 2020/05/08 2:15 p.m.125 views

CVE-2019-10170

A flaw was found in the Keycloak admin console, where the realm management interface permits a script to be set via the policy. This flaw allows an attacker with authenticated user and realm management permissions to configure a malicious script to trigger and execute arbitrary code with the permis...

7.2CVSS6.9AI score0.00742EPSS
CVE
CVE
added 2020/02/10 3:15 p.m.125 views

CVE-2020-1697

It was found in all keycloak versions before 9.0.0 that links to external applications (Application Links) in the admin console are not validated properly and could allow Stored XSS attacks. An authed malicious user could create URLs to trick users in other realms, and possibly conduct further atta...

6.1CVSS5AI score0.00283EPSS
CVE
CVE
added 2020/05/12 9:15 p.m.125 views

CVE-2020-1718

A flaw was found in the reset credential flow in all Keycloak versions before 8.0.0. This flaw allows an attacker to gain unauthorized access to the application.

8.8CVSS8.4AI score0.00367EPSS
CVE
CVE
added 2022/08/26 6:15 p.m.124 views

CVE-2022-0225

A flaw was found in Keycloak. This flaw allows a privileged attacker to use the malicious payload as the group name while creating a new group from the admin console, leading to a stored Cross-site scripting (XSS) attack.

5.4CVSS4.9AI score0.00348EPSS
CVE
CVE
added 2019/04/24 4:29 p.m.122 views

CVE-2019-3868

Keycloak up to version 6.0.0 allows the end user token (access or id token JWT) to be used as the session cookie for browser sessions for OIDC. As a result an attacker with access to service provider backend could hijack user’s browser session.

5.5CVSS3.9AI score0.00291EPSS
CVE
CVE
added 2020/11/17 2:15 a.m.122 views

CVE-2020-10776

A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack.

4.8CVSS4.6AI score0.00271EPSS
CVE
CVE
added 2023/05/26 6:15 p.m.121 views

CVE-2023-1664

A flaw was found in Keycloak. This flaw depends on a non-default configuration "Revalidate Client Certificate" to be enabled and the reverse proxy is not validating the certificate before Keycloak. Using this method an attacker may choose the certificate which will be validated by the server. If th...

6.5CVSS6.1AI score0.00238EPSS
CVE
CVE
added 2022/08/22 3:15 p.m.118 views

CVE-2021-3513

A flaw was found in keycloak where a brute force attack is possible even when the permanent lockout feature is enabled. This is due to a wrong error message displayed when wrong credentials are entered. The highest threat from this vulnerability is to confidentiality.

7.5CVSS7.1AI score0.00174EPSS
CVE
CVE
added 2020/01/08 3:15 p.m.116 views

CVE-2019-14820

It was found that keycloak before version 8.0.0 exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be invoked via a specially-crafted URL. This vulnerability could allow an attacker to access unauthorized information.

4.3CVSS4.4AI score0.0031EPSS
CVE
CVE
added 2021/07/09 11:15 a.m.116 views

CVE-2021-3637

A flaw was found in keycloak-model-infinispan in keycloak versions before 14.0.0 where authenticationSessions map in RootAuthenticationSessionEntity grows boundlessly which could lead to a DoS attack.

7.5CVSS7.1AI score0.00409EPSS
CVE
CVE
added 2021/05/28 11:15 a.m.115 views

CVE-2021-20195

A flaw was found in keycloak in versions before 13.0.0. A Self Stored XSS attack vector escalating to a complete account takeover is possible due to user-supplied data fields not being properly encoded and Javascript code being used to process the data. The highest threat from this vulnerability is...

9.6CVSS8.7AI score0.00305EPSS
CVE
CVE
added 2020/05/11 9:15 p.m.114 views

CVE-2020-1724

A flaw was found in Keycloak in versions before 9.0.2. This flaw allows a malicious user that is currently logged in, to see the personal information of a previously logged out user in the account manager section.

4.3CVSS4AI score0.00232EPSS
CVE
CVE
added 2020/09/16 6:15 p.m.113 views

CVE-2020-10748

A flaw was found in Keycloak's data filter, in version 10.0.1, where it allowed the processing of data URLs in some circumstances. This flaw allows an attacker to conduct cross-site scripting or further attacks.

6.1CVSS5.3AI score0.00391EPSS
CVE
CVE
added 2020/05/08 2:15 p.m.112 views

CVE-2019-10169

A flaw was found in Keycloak’s user-managed access interface, where it would permit a script to be set in the UMA policy. This flaw allows an authenticated attacker with UMA permissions to configure a malicious script to trigger and execute arbitrary code with the permissions of the user running ap...

7.2CVSS7AI score0.00608EPSS
CVE
CVE
added 2021/02/11 6:15 p.m.110 views

CVE-2020-1717

A flaw was found in Keycloak 7.0.1. A logged in user can do an account email enumeration attack.

4CVSS3.6AI score0.00183EPSS
CVE
CVE
added 2020/01/07 5:15 p.m.109 views

CVE-2019-14837

A flaw was found in keycloack before version 8.0.0. The owner of 'placeholder.org' domain can setup mail server on this domain and knowing only name of a client can reset password and then log in. For example, for client name 'test' the email address will be '[email protected]'.

9.1CVSS9AI score0.01008EPSS
Total number of security vulnerabilities93