Keycloak@* Security Vulnerabilities and Issues — Keycloak@* CVE List

Lucene search

RedhatKeycloak*

8 matches found

CVE•added 2022/08/23 4:15 p.m.•2306 views

CVE-2021-3827

A flaw was found in keycloak, where the default ECP binding flow allows other authentication flows to be bypassed. By exploiting this behavior, an attacker can bypass the MFA authentication by sending a SOAP request with an AuthnRequest and Authorization header with the user's credentials. The high...

6.8CVSS6.7AI score0.00217EPSS

CVE•added 2022/07/08 12:15 a.m.•211 views

CVE-2022-1245

A privilege escalation flaw was found in the token exchange feature of keycloak. Missing authorization allows a client application holding a valid access token to exchange tokens for any target client by passing the client_id of the target. This could allow a client to gain unauthorized access to a...

9.8CVSS9.4AI score0.00396EPSS

CVE•added 2022/03/25 7:15 p.m.•200 views

CVE-2021-20323

A POST based reflected Cross Site Scripting vulnerability on has been identified in Keycloak.

6.1CVSS6AI score0.66054EPSS

CVE•added 2022/01/25 8:15 p.m.•170 views

CVE-2021-4133

A flaw was found in Keycloak in versions from 12.0.0 and before 15.1.1 which allows an attacker with any existing user account to create new default user accounts via the administrative REST API even when new user registration is disabled.

8.8CVSS8.3AI score0.00263EPSS

CVE•added 2022/04/26 7:15 p.m.•150 views

CVE-2022-1466

Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted.

6.5CVSS6.2AI score0.00255EPSS

CVE•added 2022/08/22 3:15 p.m.•129 views

CVE-2021-3513

A flaw was found in keycloak where a brute force attack is possible even when the permanent lockout feature is enabled. This is due to a wrong error message displayed when wrong credentials are entered. The highest threat from this vulnerability is to confidentiality.

7.5CVSS7.1AI score0.00201EPSS

CVE•added 2022/08/26 4:15 p.m.•103 views

CVE-2021-3632

A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow.

7.5CVSS7.2AI score0.00411EPSS

CVE•added 2022/08/26 4:15 p.m.•85 views

CVE-2021-3856

ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader. By sending requests for theme resources with a relative path from an external HTTP client, the client will receive the content of random files if available.

4.3CVSS4.5AI score0.00364EPSS