Keycloak Security Vulnerabilities and Issues — Keycloak CVE List

Lucene search

RedhatKeycloak

8 matches found

CVE•added 2020/05/15 7:15 p.m.•166 views

CVE-2020-1758

A flaw was found in Keycloak in versions before 10.0.0, where it does not perform the TLS hostname verification while sending emails using the SMTP server. This flaw allows an attacker to perform a man-in-the-middle (MITM) attack.

5.9CVSS5.2AI score0.00254EPSS

CVE•added 2020/05/13 7:15 p.m.•139 views

CVE-2020-1714

A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code...

8.8CVSS8.5AI score0.02152EPSS

CVE•added 2020/05/08 2:15 p.m.•125 views

CVE-2019-10170

A flaw was found in the Keycloak admin console, where the realm management interface permits a script to be set via the policy. This flaw allows an attacker with authenticated user and realm management permissions to configure a malicious script to trigger and execute arbitrary code with the permis...

7.2CVSS6.9AI score0.00742EPSS

CVE•added 2020/05/12 9:15 p.m.•125 views

CVE-2020-1718

A flaw was found in the reset credential flow in all Keycloak versions before 8.0.0. This flaw allows an attacker to gain unauthorized access to the application.

8.8CVSS8.4AI score0.00367EPSS

CVE•added 2020/05/11 9:15 p.m.•114 views

CVE-2020-1724

A flaw was found in Keycloak in versions before 9.0.2. This flaw allows a malicious user that is currently logged in, to see the personal information of a previously logged out user in the account manager section.

4.3CVSS4AI score0.00232EPSS

CVE•added 2020/05/08 2:15 p.m.•112 views

CVE-2019-10169

A flaw was found in Keycloak’s user-managed access interface, where it would permit a script to be set in the UMA policy. This flaw allows an authenticated attacker with UMA permissions to configure a malicious script to trigger and execute arbitrary code with the permissions of the user running ap...

7.2CVSS7AI score0.00608EPSS

CVE•added 2020/05/11 2:15 p.m.•76 views

CVE-2020-1698

A flaw was found in keycloak in versions before 9.0.0. A logged exception in the HttpMethod class may leak the password given as parameter. The highest threat from this vulnerability is to data confidentiality.

5.5CVSS5.2AI score0.00051EPSS

CVE•added 2020/05/04 9:15 p.m.•57 views

CVE-2020-10686

A flaw was found in Keycloak version 8.0.2 and 9.0.0, and was fixed in Keycloak version 9.0.1, where a malicious user registers as oneself. The attacker could then use the remove devices form to post different credential IDs and possibly remove MFA devices for other users.

6.5CVSS4.6AI score0.00238EPSS