Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Keycloak
(Redhat)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 88 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2023-03-29 | CVE-2022-1274 | A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users. | Keycloak, Openshift_container_platform, Single_sign\-On | 5.4 | ||
| 2023-07-07 | CVE-2022-4361 | Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the SAML or OIDC providers. The vulnerability can allow an attacker to execute malicious scripts by setting the AssertionConsumerServiceURL value or the redirect_uri. | Keycloak, Openshift_container_platform, Openshift_container_platform_for_ibm_linuxone, Openshift_container_platform_for_power, Single_sign\-On | 6.1 | ||
| 2023-08-04 | CVE-2023-0264 | A flaw was found in Keycloaks OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session tokens. This issue could impact confidentiality, integrity, and availability. | Keycloak, Openshift_container_platform, Openshift_container_platform_for_ibm_linuxone, Openshift_container_platform_ibm_z_systems, Single_sign\-On | 5.0 | ||
| 2023-09-12 | CVE-2023-4918 | A flaw was found in the Keycloak package, more specifically org.keycloak.userprofile. When a user registers itself through registration flow, the "password" and "password-confirm" field from the form will occur as regular user attributes. All users and clients with proper rights and roles are able to read users attributes, allowing a malicious user with minimal access to retrieve the users passwords in clear text, jeopardizing their environment. | Keycloak | 8.8 | ||
| 2023-09-20 | CVE-2022-1438 | A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability. | Keycloak | 4.8 | ||
| 2023-09-20 | CVE-2022-3916 | A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user. | Keycloak, Openshift_container_platform, Openshift_container_platform_for_linuxone, Openshift_container_platform_for_power, Openshift_container_platform_ibm_z_systems, Single_sign\-On | 6.8 | ||
| 2023-09-25 | CVE-2022-4137 | A reflected cross-site scripting (XSS) vulnerability was found in the 'oob' OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker. | Keycloak, Single_sign\-On | 6.1 | ||
| 2023-10-04 | CVE-2023-2422 | A flaw was found in Keycloak. A Keycloak server configured to support mTLS authentication for OAuth/OpenID clients does not properly verify the client certificate chain. A client that possesses a proper certificate can authorize itself as any other client, therefore, access data that belongs to other clients. | Keycloak, Openshift_container_platform, Single_sign\-On | 7.1 | ||
| 2023-12-14 | CVE-2023-6563 | An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the "consents" tab of the admin User Interface, the UI attempts to load a huge number of offline client sessions leading to excessive memory and CPU consumption which could potentially crash the entire system. | Keycloak, Openshift_container_platform, Openshift_container_platform_for_ibm_linuxone, Openshift_container_platform_for_power, Single_sign\-On | 7.7 | ||
| 2023-12-14 | CVE-2023-6134 | A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the result of an incomplete fix for CVE-2020-10748. | Keycloak, Openshift_container_platform, Openshift_container_platform_for_power, Openshift_container_platform_ibm_z_systems, Single_sign\-On | 5.4 |