Single Sign-on@- Security Vulnerabilities and Issues — Single Sign-on@- CVE List

Lucene search

RedhatSingle Sign-on-

9 matches found

CVE•added 2023/09/14 3:15 p.m.•2602 views

CVE-2023-1108

A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates.

7.5CVSS7.3AI score0.0481EPSS

CVE•added 2023/12/21 10:15 a.m.•2580 views

CVE-2023-2585

Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an authorization admin into granting consent to a malicious OAuth client or possible unauthorized access...

8.1CVSS5.6AI score0.00112EPSS

CVE•added 2023/09/27 3:18 p.m.•559 views

CVE-2023-3223

A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError due to large multipart content. This may allow unauthorized users to cause remote Denial of Service (DoS) attack. If the server uses fileSizeThreshold to limit the file size, it's possible to bypass...

7.5CVSS7.3AI score0.00767EPSS

CVE•added 2023/09/20 3:15 p.m.•262 views

CVE-2022-3916

A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to ...

6.8CVSS7.1AI score0.00226EPSS

CVE•added 2023/08/04 6:15 p.m.•251 views

CVE-2023-0264

A flaw was found in Keycloaks OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session tokens. This issue c...

5CVSS4.5AI score0.03396EPSS

CVE•added 2023/03/29 9:15 p.m.•193 views

CVE-2022-1274

A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users.

5.4CVSS5.2AI score0.00785EPSS

CVE•added 2023/12/14 6:15 p.m.•165 views

CVE-2023-6563

An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the "consents" tab ...

7.7CVSS7.3AI score0.00304EPSS

CVE•added 2023/12/14 10:15 p.m.•160 views

CVE-2023-6134

A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the result of an incomple...

5.4CVSS5.3AI score0.01836EPSS

CVE•added 2023/07/07 8:15 p.m.•131 views

CVE-2022-4361

Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the SAML or OIDC providers. The vulnerability can allow an attacker to execute malicious scripts by setting the AssertionConsumerServiceURL value or the redirect_uri.

10CVSS5.7AI score0.00311EPSS