Keycloak Security Vulnerabilities and Issues — Keycloak CVE List

Lucene search

RedhatKeycloak

23 matches found

CVE•added 2023/09/20 2:15 p.m.•2795 views

CVE-2022-1438

A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability.

6.4CVSS5.5AI score0.00152EPSS

CVE•added 2022/08/23 4:15 p.m.•2296 views

CVE-2021-3827

A flaw was found in keycloak, where the default ECP binding flow allows other authentication flows to be bypassed. By exploiting this behavior, an attacker can bypass the MFA authentication by sending a SOAP request with an AuthnRequest and Authorization header with the user's credentials. The high...

6.8CVSS6.7AI score0.00092EPSS

CVE•added 2023/12/18 11:15 p.m.•274 views

CVE-2023-6927

A flaw was found in Keycloak. This issue may allow an attacker to steal authorization codes or tokens from clients using a wildcard in the JARM response mode "form_post.jwt" which could be used to bypass the security patch implemented to address CVE-2023-6134.

6.1CVSS5.3AI score0.01836EPSS

CVE•added 2023/09/20 3:15 p.m.•260 views

CVE-2022-3916

A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to ...

6.8CVSS7.1AI score0.00226EPSS

CVE•added 2024/09/09 7:15 p.m.•224 views

CVE-2024-7260

An open redirect vulnerability was found in Keycloak. A specially crafted URL can be constructed where the referrer and referrer_uri parameters are made to trick a user to visit a malicious webpage. A trusted URL can trick users and automation into believing that the URL is safe, when, in fact, it ...

6.1CVSS6.2AI score0.0015EPSS

CVE•added 2022/03/25 7:15 p.m.•190 views

CVE-2021-20323

A POST based reflected Cross Site Scripting vulnerability on has been identified in Keycloak.

6.1CVSS6AI score0.7008EPSS

CVE•added 2020/03/24 2:15 p.m.•153 views

CVE-2020-1744

A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle this events.

6.8CVSS5.2AI score0.00333EPSS

CVE•added 2018/07/26 5:29 p.m.•144 views

CVE-2017-2582

It was found that while parsing the SAML messages the StaxParserUtil class of keycloak before 2.5.1 replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML reque...

6.5CVSS6.3AI score0.00663EPSS

CVE•added 2022/04/26 7:15 p.m.•143 views

CVE-2022-1466

Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted.

6.5CVSS6.2AI score0.00255EPSS

CVE•added 2023/01/13 6:15 a.m.•135 views

CVE-2023-0105

A flaw was found in Keycloak. This flaw allows impersonation and lockout due to the email trust not being handled correctly in Keycloak. An attacker can shadow other users with the same email and lockout or impersonate them.

6.5CVSS6.1AI score0.00088EPSS

CVE•added 2019/06/12 2:29 p.m.•130 views

CVE-2019-3875

A vulnerability was found in keycloak before 6.0.2. The X.509 authenticator supports the verification of client certificates through the CRL, where the CRL list can be obtained from the URL provided in the certificate itself (CDP) or through the separately configured path. The CRL are often availab...

6.5CVSS5AI score0.00047EPSS

CVE•added 2020/02/10 3:15 p.m.•125 views

CVE-2020-1697

It was found in all keycloak versions before 9.0.0 that links to external applications (Application Links) in the admin console are not validated properly and could allow Stored XSS attacks. An authed malicious user could create URLs to trick users in other realms, and possibly conduct further atta...

6.1CVSS5AI score0.00283EPSS

CVE•added 2023/05/26 6:15 p.m.•121 views

CVE-2023-1664

A flaw was found in Keycloak. This flaw depends on a non-default configuration "Revalidate Client Certificate" to be enabled and the reverse proxy is not validating the certificate before Keycloak. Using this method an attacker may choose the certificate which will be validated by the server. If th...

6.5CVSS6.1AI score0.00238EPSS

CVE•added 2020/09/16 6:15 p.m.•113 views

CVE-2020-10748

A flaw was found in Keycloak's data filter, in version 10.0.1, where it allowed the processing of data URLs in some circumstances. This flaw allows an attacker to conduct cross-site scripting or further attacks.

6.1CVSS5.3AI score0.00391EPSS

CVE•added 2019/12/15 10:15 p.m.•101 views

CVE-2014-3652

JBoss KeyCloak: Open redirect vulnerability via failure to validate the redirect URL.

6.1CVSS6.2AI score0.00219EPSS

CVE•added 2018/05/11 1:29 p.m.•93 views

CVE-2016-8627

admin-cli before versions 3.0.0.alpha25, 2.2.1.cr2 is vulnerable to an EAP feature to download server log files that allows logs to be available via GET requests making them vulnerable to cross-origin attacks. An attacker could trigger the user's browser to request the log files consuming enough re...

6.5CVSS6.6AI score0.00801EPSS

CVE•added 2021/03/09 6:15 p.m.•92 views

CVE-2021-20262

A flaw was found in Keycloak 12.0.0 where re-authentication does not occur while updating the password. This flaw allows an attacker to take over an account if they can obtain temporary, physical access to a user’s browser. The highest threat from this vulnerability is to confidentiality, integrity...

6.8CVSS6.2AI score0.00044EPSS

CVE•added 2024/09/03 8:15 p.m.•83 views

CVE-2024-4629

A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This ...

6.5CVSS6.6AI score0.00166EPSS

CVE•added 2018/03/12 3:29 p.m.•82 views

CVE-2016-8629

Red Hat Keycloak before version 2.4.0 did not correctly check permissions when handling service account user deletion requests sent to the rest server. An attacker with service account authentication could use this flaw to bypass normal permissions and delete users in a separate realm.

6.5CVSS6.5AI score0.00454EPSS

CVE•added 2021/03/08 10:15 p.m.•75 views

CVE-2020-27838

A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this vulne...

6.5CVSS6.4AI score0.89101EPSS

CVE•added 2020/06/22 7:15 p.m.•71 views

CVE-2020-1727

A vulnerability was found in Keycloak before 9.0.2, where every Authorization URL that points to an IDP server lacks proper input validation as it allows a wide range of characters. This flaw allows a malicious to craft deep links that introduce further attack scenarios on affected clients.

6.4CVSS5.2AI score0.00184EPSS

CVE•added 2018/11/13 7:29 p.m.•62 views

CVE-2018-14658

A flaw was found in JBOSS Keycloak 3.2.1.Final. The Redirect URL for both Login and Logout are not normalized in org.keycloak.protocol.oidc.utils.RedirectUtils before the redirect url is verified. This can lead to an Open Redirection attack

6.1CVSS6.2AI score0.00254EPSS

CVE•added 2020/05/04 9:15 p.m.•57 views

CVE-2020-10686

A flaw was found in Keycloak version 8.0.2 and 9.0.0, and was fixed in Keycloak version 9.0.1, where a malicious user registers as oneself. The attacker could then use the remove devices form to post different credential IDs and possibly remove MFA devices for other users.

6.5CVSS4.6AI score0.00238EPSS