Keycloak Security Vulnerabilities and Issues — Keycloak CVE List

Lucene search

RedhatKeycloak

4 matches found

CVE•added 2018/11/30 1:29 p.m.•106 views

CVE-2018-14637

The SAML broker consumer endpoint in Keycloak before version 4.6.0.Final ignores expiration conditions on SAML assertions. An attacker can exploit this vulnerability to perform a replay attack.

8.1CVSS7.7AI score0.00252EPSS

CVE•added 2018/11/13 7:29 p.m.•62 views

CVE-2018-14658

A flaw was found in JBOSS Keycloak 3.2.1.Final. The Redirect URL for both Login and Logout are not normalized in org.keycloak.protocol.oidc.utils.RedirectUtils before the redirect url is verified. This can lead to an Open Redirection attack

6.1CVSS6.2AI score0.00254EPSS

CVE•added 2018/11/13 7:29 p.m.•58 views

CVE-2018-14657

A flaw was found in Keycloak 4.2.1.Final, 4.3.0.Final. When TOPT enabled, an improper implementation of the Brute Force detection algorithm will not enforce its protection measures.

8.1CVSS7.8AI score0.00387EPSS

CVE•added 2018/11/13 7:29 p.m.•56 views

CVE-2018-14655

A flaw was found in Keycloak 3.4.3.Final, 4.0.0.Beta2, 4.3.0.Final. When using 'response_mode=form_post' it is possible to inject arbitrary Javascript-Code via the 'state'-parameter in the authentication URL. This allows an XSS-Attack upon succesfully login.

5.4CVSS5.7AI score0.00234EPSS