Keycloak Security Vulnerabilities and Issues — Keycloak CVE List

Lucene search

RedhatKeycloak

16 matches found

CVE•added 2023/09/25 8:15 p.m.•5274 views

CVE-2022-4137

A reflected cross-site scripting (XSS) vulnerability was found in the 'oob' OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be...

8.1CVSS6.2AI score0.00393EPSS

CVE•added 2023/12/18 4:15 p.m.•3815 views

CVE-2023-48795

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connecti...

5.9CVSS6.7AI score0.70714EPSS

CVE•added 2023/09/20 2:15 p.m.•2797 views

CVE-2022-1438

A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability.

6.4CVSS5.5AI score0.00152EPSS

CVE•added 2023/01/13 6:15 a.m.•303 views

CVE-2022-3782

keycloak: path traversal via double URL encoding. A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the...

9.1CVSS8.9AI score0.00097EPSS

CVE•added 2023/12/18 11:15 p.m.•277 views

CVE-2023-6927

A flaw was found in Keycloak. This issue may allow an attacker to steal authorization codes or tokens from clients using a wildcard in the JARM response mode "form_post.jwt" which could be used to bypass the security patch implemented to address CVE-2023-6134.

6.1CVSS5.3AI score0.01836EPSS

CVE•added 2023/09/20 3:15 p.m.•262 views

CVE-2022-3916

A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to ...

6.8CVSS7.1AI score0.00226EPSS

CVE•added 2023/08/04 6:15 p.m.•251 views

CVE-2023-0264

A flaw was found in Keycloaks OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session tokens. This issue c...

5CVSS4.5AI score0.03396EPSS

CVE•added 2023/03/29 9:15 p.m.•193 views

CVE-2022-1274

A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users.

5.4CVSS5.2AI score0.00785EPSS

CVE•added 2023/12/14 6:15 p.m.•165 views

CVE-2023-6563

An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the "consents" tab ...

7.7CVSS7.3AI score0.00304EPSS

CVE•added 2023/12/14 10:15 p.m.•160 views

CVE-2023-6134

A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the result of an incomple...

5.4CVSS5.3AI score0.01836EPSS

CVE•added 2023/01/13 6:15 a.m.•156 views

CVE-2023-0091

A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information.

3.8CVSS3.7AI score0.00069EPSS

CVE•added 2023/10/04 11:15 a.m.•138 views

CVE-2023-2422

A flaw was found in Keycloak. A Keycloak server configured to support mTLS authentication for OAuth/OpenID clients does not properly verify the client certificate chain. A client that possesses a proper certificate can authorize itself as any other client, therefore, access data that belongs to oth...

7.1CVSS6.5AI score0.00217EPSS

CVE•added 2023/01/13 6:15 a.m.•135 views

CVE-2023-0105

A flaw was found in Keycloak. This flaw allows impersonation and lockout due to the email trust not being handled correctly in Keycloak. An attacker can shadow other users with the same email and lockout or impersonate them.

6.5CVSS6.1AI score0.00088EPSS

CVE•added 2023/07/07 8:15 p.m.•131 views

CVE-2022-4361

Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the SAML or OIDC providers. The vulnerability can allow an attacker to execute malicious scripts by setting the AssertionConsumerServiceURL value or the redirect_uri.

10CVSS5.7AI score0.00311EPSS

CVE•added 2023/05/26 6:15 p.m.•121 views

CVE-2023-1664

A flaw was found in Keycloak. This flaw depends on a non-default configuration "Revalidate Client Certificate" to be enabled and the reverse proxy is not validating the certificate before Keycloak. Using this method an attacker may choose the certificate which will be validated by the server. If th...

6.5CVSS6.1AI score0.00238EPSS

CVE•added 2023/09/12 8:15 p.m.•74 views

CVE-2023-4918

A flaw was found in the Keycloak package, more specifically org.keycloak.userprofile. When a user registers itself through registration flow, the "password" and "password-confirm" field from the form will occur as regular user attributes. All users and clients with proper rights and roles are able ...

8.8CVSS8.4AI score0.00081EPSS