org.keycloak:keycloak-core

vulnerable: 1.0-alpha-1 ... 1.0.2.Final (16 versions)

JBoss KeyCloak before 1.0.3.Final allows remote attackers to cause a denial of service (resource consumption) via a large value in the size parameter to auth/qrcode, related to QR code generation.

vulnerable: 1.0-alpha-1 ... 1.0.5.Final (19 versions)

JBoss KeyCloak: XSS in login-status-iframe.html

vulnerable: 1.0-alpha-1 ... 2.3.0.CR1 (59 versions)

It was found that the keycloak before 2.3.0 did not implement authentication flow correctly. An attacker could use this flaw to construct a phishing URL, from which he could hijack the user's session. This could lead to information disclos…

vulnerable: 1.0-alpha-1 ... 2.4.0.CR1 (61 versions)

Red Hat Keycloak before version 2.4.0 did not correctly check permissions when handling service account user deletion requests sent to the rest server. An attacker with service account authentication could use this flaw to bypass normal pe…

vulnerable: 1.0-alpha-1 ... 3.4.1.Final (81 versions)

It was found that keycloak before 3.4.2 final would permit misuse of a client-side /etc/hosts entry to spoof a URL in a password reset request. An attacker could use this flaw to craft a malicious password reset request and gain a valid re…

vulnerable: 1.0-alpha-1 ... 2.5.0.Final (64 versions)

It was found that while parsing the SAML messages the StaxParserUtil class of keycloak before 2.5.1 replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system pr…

vulnerable: 1.0-alpha-1 ... 2.5.0.Final (64 versions)

Red Hat Keycloak before version 2.5.1 has an implementation of HMAC verification for JWS tokens that uses a method that runs in non-constant time, potentially leaving the application vulnerable to timing attacks.

vulnerable: 1.0-alpha-1 ... 2.5.4.Final (66 versions)

It was found that when Keycloak before 2.5.5 receives a Logout request with a Extensions in the middle of the request, the SAMLSloRequestParser.parse() method ends in a infinite loop. An attacker could use this flaw to conduct denial of se…

vulnerable: 1.0-alpha-1 ... 4.0.0.Beta3 (86 versions)

keycloak before version 4.0.0.final is vulnerable to a infinite loop in session replacement. A Keycloak cluster with multiple nodes could mishandle an expired session replacement and lead to an infinite loop. A malicious authenticated user…

vulnerable: 1.0-alpha-1 ... 4.5.0.Final (93 versions)

The SAML broker consumer endpoint in Keycloak before version 4.6.0.Final ignores expiration conditions on SAML assertions. An attacker can exploit this vulnerability to perform a replay attack.

vulnerable: 1.0-alpha-1 ... 3.2.1.Final (74 versions)

A flaw was found in JBOSS Keycloak 3.2.1.Final. The Redirect URL for both Login and Logout are not normalized in org.keycloak.protocol.oidc.utils.RedirectUtils before the redirect url is verified. This can lead to an Open Redirection attack

vulnerable: 1.0-alpha-1 ... 7.0.1 (104 versions)

A flaw was found in the Keycloak admin console, where the realm management interface permits a script to be set via the policy. This flaw allows an attacker with authenticated user and realm management permissions to configure a malicious …

vulnerable: 1.0-alpha-1 ... 6.0.1 (102 versions)

It was found that Keycloak's account console, up to 6.0.1, did not perform adequate header checks in some requests. An attacker could use this flaw to trick an authenticated user into performing operations via request from an untrusted dom…

vulnerable: 1.0-alpha-1 ... 6.0.1 (102 versions)

It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. If an attacker modifies the SAML Response and removes the <Signature> sections, the message is still accepted, and the message can b…

vulnerable: 1.0-alpha-1 ... 7.0.1 (104 versions)

It was found that keycloak before version 8.0.0 exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be invoked via a specially-crafted URL. This vulnerability could allow an attacker to access unauthori…

vulnerable: 1.0-alpha-1 ... 7.0.1 (104 versions)

A flaw was found in keycloack before version 8.0.0. The owner of 'placeholder.org' domain can setup mail server on this domain and knowing only name of a client can reset password and then log in. For example, for client name 'test' the em…

vulnerable: 1.0-alpha-1 ... 5.0.0 (100 versions)

Keycloak up to version 6.0.0 allows the end user token (access or id token JWT) to be used as the session cookie for browser sessions for OIDC. As a result an attacker with access to service provider backend could hijack user’s browser s…

vulnerable: 1.0-alpha-1 ... 6.0.1 (102 versions)

A vulnerability was found in keycloak before 6.0.2. The X.509 authenticator supports the verification of client certificates through the CRL, where the CRL list can be obtained from the URL provided in the certificate itself (CDP) or throu…

vulnerable: 1.0-alpha-1 ... 9.0.0 (108 versions)

A flaw was found in Keycloak version 8.0.2 and 9.0.0, and was fixed in Keycloak version 9.0.1, where a malicious user registers as oneself. The attacker could then use the remove devices form to post different credential IDs and possibly r…

vulnerable: 1.0-alpha-1 ... 9.0.3 (122 versions)

A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request fo…

vulnerable: 1.0-alpha-1 ... 9.0.3 (117 versions)

It was found that Keycloak before version 12.0.0 would permit a user with only view-profile role to manage the resources in the new account console, allowing access and modification of data the user was not intended to have.

vulnerable: 1.0-alpha-1 ... 8.0.2 (107 versions)

It was found in all keycloak versions before 9.0.0 that links to external applications (Application Links) in the admin console are not validated properly and could allow Stored XSS attacks. An authed malicious user could create URLs to tr…

vulnerable: 1.0-alpha-1 ... 8.0.2 (107 versions)

A flaw was found in keycloak in versions before 9.0.0. A logged exception in the HttpMethod class may leak the password given as parameter. The highest threat from this vulnerability is to data confidentiality.

vulnerable: 1.0-alpha-1 ... 9.0.3 (113 versions)

A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized…

vulnerable: 1.0-alpha-1 ... 9.0.0 (108 versions)

A flaw was found in Keycloak in versions before 9.0.2. This flaw allows a malicious user that is currently logged in, to see the personal information of a previously logged out user in the account manager section.

vulnerable: 1.0-alpha-1 ... 9.0.3 (110 versions)

A vulnerability was found in all versions of Keycloak where, the pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses. This does not directly lead to a security issue, ye…

vulnerable: 1.0-alpha-1 ... 8.0.1 (106 versions)

A flaw was found in all versions of the Keycloak operator, before version 8.0.2,(community only) where the operator generates a random admin password when installing Keycloak, however the password remains the same when deployed to the same…

vulnerable: 1.0-alpha-1 ... 9.0.0 (108 versions)

A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So Br…

vulnerable: 1.0-alpha-1 ... 9.0.3 (117 versions)

A flaw was found in Keycloak before version 12.0.0 where it is possible to update the user's metadata attributes using Account REST API. This flaw allows an attacker to change its own NameID attribute to impersonate the admin user for any …

vulnerable: 1.0-alpha-1 ... 9.0.3 (122 versions)

A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client chang…

vulnerable: 1.0-alpha-1 ... 9.0.3 (124 versions)

A flaw was found in keycloak affecting versions 11.0.3 and 12.0.0. An expired certificate would be accepted by the direct-grant authenticator because of missing time stamp validations. The highest threat from this vulnerability is to data …

vulnerable: 1.0-alpha-1 ... 9.0.3 (122 versions)

A flaw was found in keycloak in versions before 13.0.0. A Self Stored XSS attack vector escalating to a complete account takeover is possible due to user-supplied data fields not being properly encoded and Javascript code being used to pro…

vulnerable: 1.0-alpha-1 ... 9.0.3 (122 versions)

A flaw was found in keycloak. Directories can be created prior to the Java process creating them in the temporary directory, but with wider user permissions, allowing the attacker to have access to the contents that keycloak stores in this…

vulnerable: 1.0-alpha-1 ... 9.0.3 (122 versions)

A flaw was found in Keycloak 12.0.0 where re-authentication does not occur while updating the password. This flaw allows an attacker to take over an account if they can obtain temporary, physical access to a user’s browser. The highest t…

vulnerable: 15.0.0 ... 16.1.1 (8 versions)

A POST based reflected Cross Site Scripting vulnerability on has been identified in Keycloak.

vulnerable: 1.0-alpha-1 ... 9.0.3 (128 versions)

A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow.

vulnerable: 1.0-alpha-1 ... 9.0.3 (128 versions)

ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader. By sending requests for theme resources with a relative path from an external HTTP client, the client will recei…

vulnerable: 1.0-alpha-1 ... 9.0.3 (132 versions)

A flaw was found in Keycloak. This flaw allows a privileged attacker to use the malicious payload as the group name while creating a new group from the admin console, leading to a stored Cross-site scripting (XSS) attack.

vulnerable: 1.0-alpha-1 ... 9.0.3 (134 versions)

Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted.

vulnerable: 1.0-alpha-1 ... 9.0.3 (145 versions)

A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information.

vulnerable: 1.0-alpha-1 ... 9.0.3 (155 versions)

A flaw was found in Keycloak. This flaw allows impersonation and lockout due to the email trust not being handled correctly in Keycloak. An attacker can shadow other users with the same email and lockout or impersonate them.

vulnerable: 1.0-alpha-1 ... 9.0.3 (153 versions)

A flaw was found in Keycloak. This flaw depends on a non-default configuration "Revalidate Client Certificate" to be enabled and the reverse proxy is not validating the certificate before Keycloak. Using this method an attacker may choose …

vulnerable: 22.0.2

A flaw was found in the Keycloak package, more specifically org.keycloak.userprofile. When a user registers itself through registration flow, the "password" and "password-confirm" field from the form will occur as regular user attributes. …

vulnerable: 1.0-alpha-1 ... 9.0.3 (168 versions)

A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited,an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long …

vulnerable: 1.0-alpha-1 ... 9.0.3 (164 versions)

A flaw was found in Keycloak. This issue may allow an attacker to steal authorization codes or tokens from clients using a wildcard in the JARM response mode "form_post.jwt" which could be used to bypass the security patch implemented to a…

vulnerable: 1.0-alpha-1 ... 9.0.3 (193 versions)

A vulnerability was found in Keycloak. This issue may allow a privileged attacker to use a malicious payload as the permission while creating items (Resource and Permissions) from the admin console, leading to a stored cross-site scripting…

vulnerable: 1.0-alpha-1 ... 9.0.3 (174 versions)

An open redirect vulnerability was found in Keycloak. A specially crafted URL can be constructed where the referrer and referrer_uri parameters are made to trick a user to visit a malicious webpage. A trusted URL can trick users and automa…

vulnerable: 25.0.0, 25.0.1, 25.0.2, 25.0.3

A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for a…