Keycloak Security Vulnerabilities and Issues — Keycloak CVE List

Lucene search

RedhatKeycloak

10 matches found

CVE•added 2021/05/28 11:15 a.m.•153 views

CVE-2020-27826

A flaw was found in Keycloak before version 12.0.0 where it is possible to update the user's metadata attributes using Account REST API. This flaw allows an attacker to change its own NameID attribute to impersonate the admin user for any particular application.

4.9CVSS3.9AI score0.00166EPSS

CVE•added 2020/11/17 2:15 a.m.•122 views

CVE-2020-10776

A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack.

4.8CVSS4.6AI score0.00271EPSS

CVE•added 2020/01/08 3:15 p.m.•116 views

CVE-2019-14820

It was found that keycloak before version 8.0.0 exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be invoked via a specially-crafted URL. This vulnerability could allow an attacker to access unauthorized information.

4.3CVSS4.4AI score0.0031EPSS

CVE•added 2020/05/11 9:15 p.m.•114 views

CVE-2020-1724

A flaw was found in Keycloak in versions before 9.0.2. This flaw allows a malicious user that is currently logged in, to see the personal information of a previously logged out user in the account manager section.

4.3CVSS4AI score0.00232EPSS

CVE•added 2021/02/11 6:15 p.m.•110 views

CVE-2020-1717

A flaw was found in Keycloak 7.0.1. A logged in user can do an account email enumeration attack.

4CVSS3.6AI score0.00183EPSS

CVE•added 2020/09/16 7:15 p.m.•92 views

CVE-2020-1694

A flaw was found in all versions of Keycloak before 10.0.0, where the NodeJS adapter did not support the verify-token-audience. This flaw results in some users having access to sensitive information outside of their permissions.

4.9CVSS4.6AI score0.00275EPSS

CVE•added 2022/08/26 4:15 p.m.•80 views

CVE-2021-3856

ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader. By sending requests for theme resources with a relative path from an external HTTP client, the client will receive the content of random files if available.

4.3CVSS4.5AI score0.0016EPSS

CVE•added 2018/07/23 10:29 p.m.•78 views

CVE-2018-10912

keycloak before version 4.0.0.final is vulnerable to a infinite loop in session replacement. A Keycloak cluster with multiple nodes could mishandle an expired session replacement and lead to an infinite loop. A malicious authenticated user could use this flaw to achieve Denial of Service on the ser...

4.9CVSS4.8AI score0.00474EPSS

CVE•added 2020/12/15 8:15 p.m.•76 views

CVE-2020-14302

A flaw was found in Keycloak before 13.0.0 where an external identity provider, after successful authentication, redirects to a Keycloak endpoint that accepts multiple invocations with the use of the same "state" parameter. This flaw allows a malicious user to perform replay attacks.

4.9CVSS5AI score0.00154EPSS

CVE•added 2019/11/13 4:15 p.m.•68 views

CVE-2014-3655

JBoss KeyCloak is vulnerable to soft token deletion via CSRF

4.3CVSS4.6AI score0.00183EPSS