4 matches found
CVE-2017-2585
CVE-2017-2585 affects Red Hat Keycloak before version 2.5.1, where JWS token HMAC verification is implemented in non-constant time, potentially enabling timing attacks. Documents across OSV/GHSA/NVD reiterate this exact flaw for Keycloak; no explicit exploit details or affected version ranges bey...
CVE-2016-8629
CVE-2016-8629 affects Red Hat Keycloak prior to version 2.4.0. The vulnerability is a failure to properly enforce permissions when handling service account user deletion requests sent to the REST server. An attacker with service account authentication could bypass normal permissions and delete us...
CVE-2017-12158
CVE-2017-12158 is corroborated by multiple connected records showing a vulnerability in Keycloak where the admin console accepts a HOST header URL and uses it to resolve web resource locations. This leads to a reflected XSS possibility when an authenticated user visits a malicious server, enablin...
CVE-2017-12159
CVE-2017-12159 maps to a CSRF cookie issue in Keycloak where the anti-CSRF token was not unique per session. This allows an attacker to access a victim’s authenticated session and potentially disclose information or aid further attacks, as documented by GHSA-7FMW-85QM-H22P and related advisories....