Keycloak@- Security Vulnerabilities and Issues — Keycloak@- CVE List

Lucene search

RedhatKeycloak-

8 matches found

CVE•added 2023/09/25 8:15 p.m.•5274 views

CVE-2022-4137

A reflected cross-site scripting (XSS) vulnerability was found in the 'oob' OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be...

8.1CVSS6.2AI score0.00393EPSS

CVE•added 2023/12/18 4:15 p.m.•3816 views

CVE-2023-48795

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connecti...

5.9CVSS6.7AI score0.70714EPSS

CVE•added 2023/09/20 2:15 p.m.•2797 views

CVE-2022-1438

A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability.

6.4CVSS5.5AI score0.00152EPSS

CVE•added 2023/12/18 11:15 p.m.•278 views

CVE-2023-6927

A flaw was found in Keycloak. This issue may allow an attacker to steal authorization codes or tokens from clients using a wildcard in the JARM response mode "form_post.jwt" which could be used to bypass the security patch implemented to address CVE-2023-6134.

6.1CVSS5.3AI score0.01836EPSS

CVE•added 2023/01/13 6:15 a.m.•156 views

CVE-2023-0091

A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information.

3.8CVSS3.7AI score0.00069EPSS

CVE•added 2023/10/04 11:15 a.m.•138 views

CVE-2023-2422

A flaw was found in Keycloak. A Keycloak server configured to support mTLS authentication for OAuth/OpenID clients does not properly verify the client certificate chain. A client that possesses a proper certificate can authorize itself as any other client, therefore, access data that belongs to oth...

7.1CVSS6.5AI score0.00217EPSS

CVE•added 2023/01/13 6:15 a.m.•135 views

CVE-2023-0105

A flaw was found in Keycloak. This flaw allows impersonation and lockout due to the email trust not being handled correctly in Keycloak. An attacker can shadow other users with the same email and lockout or impersonate them.

6.5CVSS6.1AI score0.00088EPSS

CVE•added 2023/05/26 6:15 p.m.•121 views

CVE-2023-1664

A flaw was found in Keycloak. This flaw depends on a non-default configuration "Revalidate Client Certificate" to be enabled and the reverse proxy is not validating the certificate before Keycloak. Using this method an attacker may choose the certificate which will be validated by the server. If th...

6.5CVSS6.1AI score0.00238EPSS