Total
99 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-6563 | 1 Redhat | 6 Enterprise Linux, Keycloak, Openshift Container Platform and 3 more | 2024-11-21 | N/A | 7.7 HIGH |
| An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the "consents" tab of the admin User Interface, the UI attempts to load a huge number of offline client sessions leading to excessive memory and CPU consumption which could potentially crash the entire system. | |||||
| CVE-2023-6291 | 1 Redhat | 8 Enterprise Linux, Keycloak, Migration Toolkit For Applications and 5 more | 2024-11-21 | N/A | 7.1 HIGH |
| A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users. | |||||
| CVE-2023-6134 | 1 Redhat | 6 Enterprise Linux, Keycloak, Openshift Container Platform and 3 more | 2024-11-21 | N/A | 4.6 MEDIUM |
| A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the result of an incomplete fix for CVE-2020-10748. | |||||
| CVE-2023-4918 | 1 Redhat | 1 Keycloak | 2024-11-21 | N/A | 8.8 HIGH |
| A flaw was found in the Keycloak package, more specifically org.keycloak.userprofile. When a user registers itself through registration flow, the "password" and "password-confirm" field from the form will occur as regular user attributes. All users and clients with proper rights and roles are able to read users attributes, allowing a malicious user with minimal access to retrieve the users passwords in clear text, jeopardizing their environment. | |||||
| CVE-2023-2422 | 1 Redhat | 4 Enterprise Linux, Keycloak, Openshift Container Platform and 1 more | 2024-11-21 | N/A | 5.5 MEDIUM |
| A flaw was found in Keycloak. A Keycloak server configured to support mTLS authentication for OAuth/OpenID clients does not properly verify the client certificate chain. A client that possesses a proper certificate can authorize itself as any other client, therefore, access data that belongs to other clients. | |||||
| CVE-2023-0264 | 1 Redhat | 6 Enterprise Linux, Keycloak, Openshift Container Platform and 3 more | 2024-11-21 | N/A | 5.0 MEDIUM |
| A flaw was found in Keycloaks OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session tokens. This issue could impact confidentiality, integrity, and availability. | |||||
| CVE-2022-4361 | 1 Redhat | 6 Enterprise Linux, Keycloak, Openshift Container Platform and 3 more | 2024-11-21 | N/A | 10.0 CRITICAL |
| Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the SAML or OIDC providers. The vulnerability can allow an attacker to execute malicious scripts by setting the AssertionConsumerServiceURL value or the redirect_uri. | |||||
| CVE-2022-4137 | 1 Redhat | 3 Enterprise Linux, Keycloak, Single Sign-on | 2024-11-21 | N/A | 8.1 HIGH |
| A reflected cross-site scripting (XSS) vulnerability was found in the 'oob' OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker. | |||||
| CVE-2022-3916 | 1 Redhat | 7 Enterprise Linux, Keycloak, Openshift Container Platform and 4 more | 2024-11-21 | N/A | 6.8 MEDIUM |
| A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user. | |||||
| CVE-2022-2668 | 1 Redhat | 2 Keycloak, Single Sign-on | 2024-11-21 | N/A | 7.2 HIGH |
| An issue was discovered in Keycloak that allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled | |||||
| CVE-2022-1466 | 1 Redhat | 2 Keycloak, Single Sign-on | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted. | |||||
| CVE-2022-1438 | 1 Redhat | 1 Keycloak | 2024-11-21 | N/A | 6.4 MEDIUM |
| A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability. | |||||
| CVE-2022-1274 | 1 Redhat | 8 Enterprise Linux, Enterprise Linux For Ibm Z Systems, Enterprise Linux For Ibm Z Systems Eus and 5 more | 2024-11-21 | N/A | 5.4 MEDIUM |
| A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users. | |||||
| CVE-2022-1245 | 1 Redhat | 1 Keycloak | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A privilege escalation flaw was found in the token exchange feature of keycloak. Missing authorization allows a client application holding a valid access token to exchange tokens for any target client by passing the client_id of the target. This could allow a client to gain unauthorized access to additional services. | |||||
| CVE-2022-0225 | 1 Redhat | 2 Keycloak, Single Sign-on | 2024-11-21 | N/A | 5.4 MEDIUM |
| A flaw was found in Keycloak. This flaw allows a privileged attacker to use the malicious payload as the group name while creating a new group from the admin console, leading to a stored Cross-site scripting (XSS) attack. | |||||
| CVE-2021-4133 | 1 Redhat | 1 Keycloak | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| A flaw was found in Keycloak in versions from 12.0.0 and before 15.1.1 which allows an attacker with any existing user account to create new default user accounts via the administrative REST API even when new user registration is disabled. | |||||
| CVE-2021-3856 | 1 Redhat | 1 Keycloak | 2024-11-21 | N/A | 4.3 MEDIUM |
| ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader. By sending requests for theme resources with a relative path from an external HTTP client, the client will receive the content of random files if available. | |||||
| CVE-2021-3827 | 1 Redhat | 4 Enterprise Linux, Keycloak, Openshift Container Platform and 1 more | 2024-11-21 | N/A | 6.8 MEDIUM |
| A flaw was found in keycloak, where the default ECP binding flow allows other authentication flows to be bypassed. By exploiting this behavior, an attacker can bypass the MFA authentication by sending a SOAP request with an AuthnRequest and Authorization header with the user's credentials. The highest threat from this vulnerability is to confidentiality and integrity. | |||||
| CVE-2021-3754 | 1 Redhat | 2 Keycloak, Single Sign-on | 2024-11-21 | N/A | 5.3 MEDIUM |
| A flaw was found in keycloak where an attacker is able to register himself with the username same as the email ID of any existing user. This may cause trouble in getting password recovery email in case the user forgets the password. | |||||
| CVE-2021-3637 | 1 Redhat | 2 Keycloak, Single Sign-on | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| A flaw was found in keycloak-model-infinispan in keycloak versions before 14.0.0 where authenticationSessions map in RootAuthenticationSessionEntity grows boundlessly which could lead to a DoS attack. | |||||