Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Keycloak
(Redhat)Repositories |
Unknown: This might be proprietary software. |
#Vulnerabilities | 88 |
Date | Id | Summary | Products | Score | Patch | Annotated |
---|---|---|---|---|---|---|
2020-05-04 | CVE-2020-10686 | A flaw was found in Keycloak version 8.0.2 and 9.0.0, and was fixed in Keycloak version 9.0.1, where a malicious user registers as oneself. The attacker could then use the remove devices form to post different credential IDs and possibly remove MFA devices for other users. | Keycloak | 4.7 | ||
2020-05-08 | CVE-2019-10169 | A flaw was found in Keycloak’s user-managed access interface, where it would permit a script to be set in the UMA policy. This flaw allows an authenticated attacker with UMA permissions to configure a malicious script to trigger and execute arbitrary code with the permissions of the user running application. | Keycloak | 7.2 | ||
2020-05-08 | CVE-2019-10170 | A flaw was found in the Keycloak admin console, where the realm management interface permits a script to be set via the policy. This flaw allows an attacker with authenticated user and realm management permissions to configure a malicious script to trigger and execute arbitrary code with the permissions of the application user. | Keycloak | 7.2 | ||
2018-11-13 | CVE-2018-14657 | A flaw was found in Keycloak 4.2.1.Final, 4.3.0.Final. When TOPT enabled, an improper implementation of the Brute Force detection algorithm will not enforce its protection measures. | Keycloak, Single_sign\-On | 8.1 | ||
2020-12-15 | CVE-2020-10770 | A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack. | Keycloak | 5.3 | ||
2020-01-08 | CVE-2019-14820 | It was found that keycloak before version 8.0.0 exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be invoked via a specially-crafted URL. This vulnerability could allow an attacker to access unauthorized information. | Jboss_enterprise_application_platform, Jboss_fuse, Keycloak, Single_sign\-On | 4.3 | ||
2019-08-14 | CVE-2019-10199 | It was found that Keycloak's account console, up to 6.0.1, did not perform adequate header checks in some requests. An attacker could use this flaw to trick an authenticated user into performing operations via request from an untrusted domain. | Keycloak | 8.8 | ||
2018-07-23 | CVE-2018-10912 | keycloak before version 4.0.0.final is vulnerable to a infinite loop in session replacement. A Keycloak cluster with multiple nodes could mishandle an expired session replacement and lead to an infinite loop. A malicious authenticated user could use this flaw to achieve Denial of Service on the server. | Keycloak, Single_sign\-On | 4.9 | ||
2021-02-11 | CVE-2020-10734 | A vulnerability was found in keycloak in the way that the OIDC logout endpoint does not have CSRF protection. Versions shipped with Red Hat Fuse 7, Red Hat Single Sign-on 7, and Red Hat Openshift Application Runtimes are believed to be vulnerable. | Jboss_fuse, Keycloak, Openshift_application_runtimes, Single_sign\-On | 3.3 | ||
2020-09-16 | CVE-2020-10758 | A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the specified keycloak server, all with a Content-Length header value that exceeds the actual byte count of the request body. | Keycloak, Openshift_application_runtimes, Single_sign\-On | 7.5 |