org.keycloak:keycloak-services

vulnerable: 1.0-alpha-1 ... 1.0.5.Final (19 versions)

JBoss KeyCloak: Open redirect vulnerability via failure to validate the redirect URL.

vulnerable: 1.0-alpha-1 ... 1.0.1.Final (15 versions)

JBoss KeyCloak is vulnerable to soft token deletion via CSRF

vulnerable: 1.0-alpha-1 ... 1.0.2.Final (16 versions)

The org.keycloak.services.resources.SocialResource.callback method in JBoss KeyCloak before 1.0.3.Final allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging lack of CSRF protection.

vulnerable: 1.0-alpha-1 ... 4.3.0.Final (91 versions)

It was found that SAML authentication in Keycloak 3.4.3.Final incorrectly authenticated expired certificates. A malicious user could use this to access unauthorized data or possibly conduct further attacks.

vulnerable: 1.0-alpha-1 ... 9.0.3 (117 versions)

A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack.

vulnerable: 1.0-alpha-1 ... 9.0.3 (135 versions)

A flaw was found in keycloak as shipped in Red Hat Single Sign-On 7.4 where IDN homograph attacks are possible. A malicious user can register himself with a name already registered and trick admin to grant him extra privileges.

vulnerable: 1.0-alpha-1 ... 9.0.3 (169 versions)

A flaw was found in keycloak where an attacker is able to register himself with the username same as the email ID of any existing user. This may cause trouble in getting password recovery email in case the user forgets the password.

vulnerable: 1.0-alpha-1 ... 9.0.3 (129 versions)

A flaw was found in Keycloak in versions from 12.0.0 and before 15.1.1 which allows an attacker with any existing user account to create new default user accounts via the administrative REST API even when new user registration is disabled.

vulnerable: 1.0-alpha-1 ... 9.0.3 (135 versions)

A privilege escalation flaw was found in the token exchange feature of keycloak. Missing authorization allows a client application holding a valid access token to exchange tokens for any target client by passing the client_id of the target…

vulnerable: 1.0-alpha-1 ... 9.0.3 (147 versions)

A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users.

vulnerable: 1.0-alpha-1 ... 9.0.3 (149 versions)

A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability.

vulnerable: 1.0-alpha-1 ... 9.0.3 (161 versions)

A flaw was found in the Keycloak package. This flaw allows an attacker to utilize an LDAP injection to bypass the username lookup or potentially perform other malicious actions.

vulnerable: 1.0-alpha-1 ... 9.0.3 (153 versions)

Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the SAML or OIDC providers. The vulnerability can allow an attacker to execute malicious scripts by setting the AssertionCo…

vulnerable: 1.0-alpha-1 ... 9.0.3 (149 versions)

A flaw was found in Keycloaks OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to imperson…

vulnerable: 23.0.0 ... 24.0.2 (11 versions)

A flaw was found in Keycloak. This issue occurs due to improperly enforcing token types when validating signatures locally. This could allow an authenticated attacker to exchange a logout token for an access token and possibly gain access …

vulnerable: 1.0-alpha-1 ... 9.0.3 (153 versions)

A flaw was found in Keycloak. A Keycloak server configured to support mTLS authentication for OAuth/OpenID clients does not properly verify the client certificate chain. A client that possesses a proper certificate can authorize itself as …

vulnerable: 1.0-alpha-1 ... 9.0.3 (153 versions)

Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an authorization admin into granting consent…

vulnerable: 23.0.0 ... 24.0.2 (11 versions)

A flaw was found in Keycloak, where it does not correctly validate its client step-up authentication in org.keycloak.authentication. This flaw allows a remote user authenticated with a password to register a false second authentication fac…

vulnerable: 1.0-alpha-1 ... 9.0.3 (163 versions)

A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS…

vulnerable: 1.0-alpha-1 ... 9.0.3 (163 versions)

A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to im…

vulnerable: 23.0.0, 23.0.1, 23.0.2, 23.0.3, 23.0.4

A log injection flaw was found in Keycloak. A text string may be injected through the authentication form when using the WebAuthn authentication mode. This issue may have a minor impact to the logs integrity.

vulnerable: 23.0.0 ... 24.0.2 (11 versions)

A flaw was found in the Keycloak package. This issue occurs due to a permissive regular expression hardcoded for filtering which allows hosts to register a dynamic client. A malicious user with enough information about the environment coul…

vulnerable: 23.0.0 ... 24.0.2 (11 versions)

A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cross-Site Scripting (XSS) risk. This issu…

vulnerable: 23.0.0 ... 24.0.2 (11 versions)

A flaw was found in Keycloak that occurs from an error in the re-authentication mechanism within org.keycloak.authentication. This flaw allows hijacking an active Keycloak session by triggering a new authentication process with the query p…

vulnerable: 25.0.0 ... 26.0.5 (13 versions)

A vulnerability was found in the Keycloak-services package. If untrusted data is passed to the SearchQueryUtils method, it could lead to a denial of service (DoS) scenario by exhausting system resources due to a Regex complexity.

vulnerable: 23.0.0 ... 24.0.2 (11 versions)

A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within …

vulnerable: 23.0.0 ... 24.0.2 (11 versions)

A flaw was found in Keycloak's OIDC component in the "checkLoginIframe," which allows unvalidated cross-origin messages. This flaw allows attackers to coordinate and send millions of requests in seconds using simple code, significantly imp…

vulnerable: 1.0-alpha-1 ... 9.0.3 (168 versions)

A flaw was found in Keycloak. In certain conditions, this issue may allow a remote unauthenticated attacker to block other accounts from logging in.

vulnerable: 23.0.0 ... 24.0.2 (11 versions)

A flaw was found in Keycloak's redirect_uri validation logic. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to the theft of an access token, making it possible for the attacker to imperso…

vulnerable: 1.0-alpha-1 ... 9.0.3 (173 versions)

A flaw was found in Keycloak. Certain endpoints in Keycloak's admin REST API allow low-privilege users to access administrative functionalities. This flaw allows users to perform actions reserved for administrators, potentially leading to …

vulnerable: 1.0-alpha-1 ... 9.0.3 (173 versions)

A flaw was found in Keycloak in OAuth 2.0 Pushed Authorization Requests (PAR). Client-provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization server's HTTP response to a `request_u…

vulnerable: 25.0.0, 25.0.1, 25.0.2, 25.0.3

A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits…

vulnerable: 25.0.0, 25.0.1, 25.0.2, 25.0.3, 25.0.4

A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an at…

vulnerable: 25.0.0 ... 25.0.5 (6 versions)

A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authoriz…

vulnerable: 1.0-alpha-1 ... 9.0.3 (202 versions)

A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the "Remember Me" realm setting on existing user sessions. Sessions created while "Remember Me" was active retain their extended session lifetime until th…

vulnerable: 1.0-alpha-1 ... 9.0.3 (199 versions)

A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a …

vulnerable: 1.0-alpha-1 ... 9.0.3 (181 versions)

A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesn’t clean up…

vulnerable: 1.0-alpha-1 ... 9.0.3 (216 versions)

A flaw was found in Keycloak Admin API. This vulnerability allows an administrator with limited privileges to retrieve sensitive custom attributes via the /unmanagedAttributes endpoint, bypassing User Profile visibility settings.

vulnerable: 1.0-alpha-1 ... 9.0.3 (190 versions)

A flaw was found in the Keycloak organization feature, which allows the incorrect assignment of an organization to a user if their username or email matches the organization’s domain pattern. This issue occurs at the mapper level, leadin…

vulnerable: 1.0-alpha-1 ... 9.0.3 (216 versions)

A flaw was found in Keycloak Admin REST (Representational State Transfer) API. This vulnerability allows information disclosure of sensitive role metadata via insufficient authorization checks on the /admin/realms/{realm}/roles endpoint.

vulnerable: 1.0-alpha-1 ... 9.0.3 (202 versions)

A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to targeted attacks or privilege escalation via improper access control.

vulnerable: 1.0-alpha-1 ... 9.0.3 (216 versions)

A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business logic vul…

vulnerable: 26.3.0 ... 26.4.7 (14 versions)

A flaw was found in Keycloak. A significant Broken Access Control vulnerability exists in the UserManagedPermissionService (UMA Protection API). When updating or deleting a UMA policy associated with multiple resources, the authorization c…

vulnerable: 1.0-alpha-1 ... 9.0.3 (195 versions)

A flaw was found in Keycloak. When the configuration uses JWT tokens for authentication, the tokens are cached until expiration. If a client uses JWT tokens with an excessively long expiration time, for example, 24 or 48 hours, the cache c…

vulnerable: 1.0-alpha-1 ... 9.0.3 (198 versions)

A flaw was found in Keycloak. By setting a verification policy to 'ALL', the trust store certificate verification is skipped, which is unintended.

vulnerable: 26.2.0 ... 26.2.5 (6 versions)

A flaw was found in Keycloak. When an authenticated attacker attempts to merge accounts with another existing account during an identity provider (IdP) login, the attacker will subsequently be prompted to "review profile" information. This…

vulnerable: 26.2.0 ... 26.2.5 (6 versions)

A flaw was found in the Keycloak identity and access management system when Fine-Grained Admin Permissions(FGAPv2) are enabled. An administrative user with the manage-users role can escalate their privileges to realm-admin due to improper …

vulnerable: 1.0-alpha-1 ... 9.0.3 (202 versions)

A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and updat…

vulnerable: 1.0-alpha-1 ... 9.0.3 (219 versions)

A flaw was found in Keycloak's SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the `NotOnOrAfter` timestamp within the `SubjectConfirmationDat…

vulnerable: 1.0-alpha-1 ... 9.0.3 (216 versions)

A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider (IdP) is enabled before issuing tokens. The issuer lookup mechanism (lookupIdentityProviderFr…