Keycloak Security Vulnerabilities and Issues — Keycloak CVE List

Lucene search

RedhatKeycloak

8 matches found

CVE•added 2022/08/23 4:15 p.m.•2297 views

CVE-2021-3827

A flaw was found in keycloak, where the default ECP binding flow allows other authentication flows to be bypassed. By exploiting this behavior, an attacker can bypass the MFA authentication by sending a SOAP request with an AuthnRequest and Authorization header with the user's credentials. The high...

6.8CVSS6.7AI score0.00092EPSS

CVE•added 2022/08/26 6:15 p.m.•125 views

CVE-2022-0225

A flaw was found in Keycloak. This flaw allows a privileged attacker to use the malicious payload as the group name while creating a new group from the admin console, leading to a stored Cross-site scripting (XSS) attack.

5.4CVSS4.9AI score0.00348EPSS

CVE•added 2022/08/22 3:15 p.m.•119 views

CVE-2021-3513

A flaw was found in keycloak where a brute force attack is possible even when the permanent lockout feature is enabled. This is due to a wrong error message displayed when wrong credentials are entered. The highest threat from this vulnerability is to confidentiality.

7.5CVSS7.1AI score0.00174EPSS

CVE•added 2022/08/05 5:15 p.m.•107 views

CVE-2022-2668

An issue was discovered in Keycloak that allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled

7.2CVSS6.7AI score0.00235EPSS

CVE•added 2022/08/23 4:15 p.m.•95 views

CVE-2020-35509

A flaw was found in keycloak affecting versions 11.0.3 and 12.0.0. An expired certificate would be accepted by the direct-grant authenticator because of missing time stamp validations. The highest threat from this vulnerability is to data confidentiality and integrity.

5.4CVSS5.1AI score0.00105EPSS

CVE•added 2022/08/26 4:15 p.m.•93 views

CVE-2021-3754

A flaw was found in keycloak where an attacker is able to register himself with the username same as the email ID of any existing user. This may cause trouble in getting password recovery email in case the user forgets the password.

5.3CVSS5.1AI score0.04922EPSS

CVE•added 2022/08/26 4:15 p.m.•92 views

CVE-2021-3632

A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow.

7.5CVSS7.2AI score0.00135EPSS

CVE•added 2022/08/26 4:15 p.m.•80 views

CVE-2021-3856

ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader. By sending requests for theme resources with a relative path from an external HTTP client, the client will receive the content of random files if available.

4.3CVSS4.5AI score0.0016EPSS