A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution.
It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. If an attacker modifies the SAML Response and removes the sections, the message is still accepted, and the message can be modified. An attacker could use this flaw to impersonate other users and gain access to sensitive information.
A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited,an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values.
A flaw was found in Keycloak 12.0.0 where re-authentication does not occur while updating the password. This flaw allows an attacker to take over an account if they can obtain temporary, physical access to a user’s browser. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
A flaw was found in the Keycloak admin console, where the realm management interface permits a script to be set via the policy. This flaw allows an attacker with authenticated user and realm management permissions to configure a malicious script to trigger and execute arbitrary code with the permissions of the application user.
A flaw was found in Keycloak. This flaw depends on a non-default configuration "Revalidate Client Certificate" to be enabled and the reverse proxy is not validating the certificate before Keycloak. Using this method an attacker may choose the certificate which will be validated by the server. If this happens and the KC_SPI_TRUSTSTORE_FILE_FILE variable is missing/misconfigured, any trustfile may be accepted with the logging information of "Cannot validate client certificate trust: Truststore not available". This may not impact availability as the attacker would have no access to the server, but consumer applications Integrity or Confidentiality may be impacted considering a possible access to them. Considering the environment is correctly set to use "Revalidate Client Certificate" this flaw is avoidable.
A flaw was found in Keycloak. This flaw allows impersonation and lockout due to the email trust not being handled correctly in Keycloak. An attacker can shadow other users with the same email and lockout or impersonate them.
Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted.
A Stored XSS vulnerability was reported in the Keycloak Security mailing list, affecting all the versions of Keycloak, including the latest release (16.0.1). The vulnerability allows a privileged attacker to execute malicious scripts in the admin console, abusing of the groups' dropdown functionality.
A flaw was found in Keycloak. This flaw allows a privileged attacker to use the malicious payload as the group name while creating a new group from the admin console, leading to a stored Cross-site scripting (XSS) attack.
A flaw was found in keycloak before version 13.0.0. In some scenarios a user still has access to a resource after changing the role mappings in Keycloak and after expiration of the previous access token.
A flaw was found in keycloak where an attacker is able to register himself with the username same as the email ID of any existing user. This may cause trouble in getting password recovery email in case the user forgets the password.
A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack.
A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute.
A one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid.
A vulnerability was found in all versions of Keycloak where, the pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses. This does not directly lead to a security issue, yet it might aid attackers in their efforts to exploit other problems. The flaws unnecessarily make the servers more prone to Clickjacking, channel downgrade attacks and other similar client-based attack vectors.
A vulnerability was found in keycloak before 6.0.2. The X.509 authenticator supports the verification of client certificates through the CRL, where the CRL list can be obtained from the URL provided in the certificate itself (CDP) or through the separately configured path. The CRL are often available over the network through unsecured protocols ('http' or 'ldap') and hence the caller should verify the signature and possibly the certification path. Keycloak currently doesn't validate signatures on CRL, which can result in a possibility of various attacks like man-in-the-middle.
A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information.
A Stored Cross-site scripting (XSS) vulnerability was found in keycloak as shipped in Red Hat Single Sign-On 7. This flaw allows a privileged attacker to execute malicious scripts in the admin console, abusing the default roles functionality.
Keycloak SSO
Library home page: http://www.jboss.org
Path to vulnerable library: /test/fixtures/maven-jars/keycloak-core-5.0.0.jar
Found in HEAD commit: 7e83e87477e0886cad26f767efdb9ffd90d9fbfe
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2020-1714
### Vulnerable Library - keycloak-core-5.0.0.jarKeycloak SSO
Library home page: http://www.jboss.org
Path to vulnerable library: /test/fixtures/maven-jars/keycloak-core-5.0.0.jar
Dependency Hierarchy: - :x: **keycloak-core-5.0.0.jar** (Vulnerable Library)
Found in HEAD commit: 7e83e87477e0886cad26f767efdb9ffd90d9fbfe
Found in base branch: main
### Vulnerability DetailsA flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution.
Publish Date: 2020-05-13
URL: CVE-2020-1714
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.8%
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1705975
Release Date: 2020-05-13
Fix Resolution: 11.0.0
CVE-2019-10201
### Vulnerable Library - keycloak-core-5.0.0.jarKeycloak SSO
Library home page: http://www.jboss.org
Path to vulnerable library: /test/fixtures/maven-jars/keycloak-core-5.0.0.jar
Dependency Hierarchy: - :x: **keycloak-core-5.0.0.jar** (Vulnerable Library)
Found in HEAD commit: 7e83e87477e0886cad26f767efdb9ffd90d9fbfe
Found in base branch: main
### Vulnerability DetailsIt was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. If an attacker modifies the SAML Response and removes the sections, the message is still accepted, and the message can be modified. An attacker could use this flaw to impersonate other users and gain access to sensitive information.
### Threat AssessmentPublish Date: 2019-08-14
URL: CVE-2019-10201
Exploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 3 Score Details (8.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10201
Release Date: 2019-08-14
Fix Resolution: 7.0.0
CVE-2023-6841
### Vulnerable Library - keycloak-core-5.0.0.jarKeycloak SSO
Library home page: http://www.jboss.org
Path to vulnerable library: /test/fixtures/maven-jars/keycloak-core-5.0.0.jar
Dependency Hierarchy: - :x: **keycloak-core-5.0.0.jar** (Vulnerable Library)
Found in HEAD commit: 7e83e87477e0886cad26f767efdb9ffd90d9fbfe
Found in base branch: main
### Vulnerability DetailsA denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited,an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values.
Publish Date: 2024-09-10
URL: CVE-2023-6841
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.0%
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-w97f-w3hq-36g2
Release Date: 2024-09-10
Fix Resolution: 24.0.0
CVE-2021-20262
### Vulnerable Library - keycloak-core-5.0.0.jarKeycloak SSO
Library home page: http://www.jboss.org
Path to vulnerable library: /test/fixtures/maven-jars/keycloak-core-5.0.0.jar
Dependency Hierarchy: - :x: **keycloak-core-5.0.0.jar** (Vulnerable Library)
Found in HEAD commit: 7e83e87477e0886cad26f767efdb9ffd90d9fbfe
Found in base branch: main
### Vulnerability DetailsA flaw was found in Keycloak 12.0.0 where re-authentication does not occur while updating the password. This flaw allows an attacker to take over an account if they can obtain temporary, physical access to a user’s browser. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Publish Date: 2021-03-09
URL: CVE-2021-20262
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 3 Score Details (6.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Physical - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-20262
Release Date: 2021-03-09
Fix Resolution: 13.0.0
CVE-2019-10170
### Vulnerable Library - keycloak-core-5.0.0.jarKeycloak SSO
Library home page: http://www.jboss.org
Path to vulnerable library: /test/fixtures/maven-jars/keycloak-core-5.0.0.jar
Dependency Hierarchy: - :x: **keycloak-core-5.0.0.jar** (Vulnerable Library)
Found in HEAD commit: 7e83e87477e0886cad26f767efdb9ffd90d9fbfe
Found in base branch: main
### Vulnerability DetailsA flaw was found in the Keycloak admin console, where the realm management interface permits a script to be set via the policy. This flaw allows an attacker with authenticated user and realm management permissions to configure a malicious script to trigger and execute arbitrary code with the permissions of the application user.
Publish Date: 2020-05-08
URL: CVE-2019-10170
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 3 Score Details (6.6)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: High - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-7m27-3587-83xf
Release Date: 2020-05-08
Fix Resolution: 8.0.0
CVE-2023-1664
### Vulnerable Library - keycloak-core-5.0.0.jarKeycloak SSO
Library home page: http://www.jboss.org
Path to vulnerable library: /test/fixtures/maven-jars/keycloak-core-5.0.0.jar
Dependency Hierarchy: - :x: **keycloak-core-5.0.0.jar** (Vulnerable Library)
Found in HEAD commit: 7e83e87477e0886cad26f767efdb9ffd90d9fbfe
Found in base branch: main
### Vulnerability DetailsA flaw was found in Keycloak. This flaw depends on a non-default configuration "Revalidate Client Certificate" to be enabled and the reverse proxy is not validating the certificate before Keycloak. Using this method an attacker may choose the certificate which will be validated by the server. If this happens and the KC_SPI_TRUSTSTORE_FILE_FILE variable is missing/misconfigured, any trustfile may be accepted with the logging information of "Cannot validate client certificate trust: Truststore not available". This may not impact availability as the attacker would have no access to the server, but consumer applications Integrity or Confidentiality may be impacted considering a possible access to them. Considering the environment is correctly set to use "Revalidate Client Certificate" this flaw is avoidable.
Publish Date: 2023-05-26
URL: CVE-2023-1664
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2023-1664
Release Date: 2023-05-26
Fix Resolution: 21.1.2
CVE-2023-0105
### Vulnerable Library - keycloak-core-5.0.0.jarKeycloak SSO
Library home page: http://www.jboss.org
Path to vulnerable library: /test/fixtures/maven-jars/keycloak-core-5.0.0.jar
Dependency Hierarchy: - :x: **keycloak-core-5.0.0.jar** (Vulnerable Library)
Found in HEAD commit: 7e83e87477e0886cad26f767efdb9ffd90d9fbfe
Found in base branch: main
### Vulnerability DetailsA flaw was found in Keycloak. This flaw allows impersonation and lockout due to the email trust not being handled correctly in Keycloak. An attacker can shadow other users with the same email and lockout or impersonate them.
Publish Date: 2023-01-11
URL: CVE-2023-0105
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2023-0105
Release Date: 2023-01-11
Fix Resolution: 20.0.3
CVE-2022-1466
### Vulnerable Library - keycloak-core-5.0.0.jarKeycloak SSO
Library home page: http://www.jboss.org
Path to vulnerable library: /test/fixtures/maven-jars/keycloak-core-5.0.0.jar
Dependency Hierarchy: - :x: **keycloak-core-5.0.0.jar** (Vulnerable Library)
Found in HEAD commit: 7e83e87477e0886cad26f767efdb9ffd90d9fbfe
Found in base branch: main
### Vulnerability DetailsDue to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted.
Publish Date: 2022-04-26
URL: CVE-2022-1466
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-f32v-vf79-p29q
Release Date: 2022-04-26
Fix Resolution: 17.0.1
WS-2022-0408
### Vulnerable Library - keycloak-core-5.0.0.jarKeycloak SSO
Library home page: http://www.jboss.org
Path to vulnerable library: /test/fixtures/maven-jars/keycloak-core-5.0.0.jar
Dependency Hierarchy: - :x: **keycloak-core-5.0.0.jar** (Vulnerable Library)
Found in HEAD commit: 7e83e87477e0886cad26f767efdb9ffd90d9fbfe
Found in base branch: main
### Vulnerability DetailsA Stored XSS vulnerability was reported in the Keycloak Security mailing list, affecting all the versions of Keycloak, including the latest release (16.0.1). The vulnerability allows a privileged attacker to execute malicious scripts in the admin console, abusing of the groups' dropdown functionality.
Publish Date: 2022-11-30
URL: WS-2022-0408
### Threat AssessmentExploit Maturity: Not Defined
EPSS:
### CVSS 3 Score Details (5.4)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-755v-r4x4-qf7m
Release Date: 2022-11-30
Fix Resolution: 20.0.0
CVE-2022-0225
### Vulnerable Library - keycloak-core-5.0.0.jarKeycloak SSO
Library home page: http://www.jboss.org
Path to vulnerable library: /test/fixtures/maven-jars/keycloak-core-5.0.0.jar
Dependency Hierarchy: - :x: **keycloak-core-5.0.0.jar** (Vulnerable Library)
Found in HEAD commit: 7e83e87477e0886cad26f767efdb9ffd90d9fbfe
Found in base branch: main
### Vulnerability DetailsA flaw was found in Keycloak. This flaw allows a privileged attacker to use the malicious payload as the group name while creating a new group from the admin console, leading to a stored Cross-site scripting (XSS) attack.
Publish Date: 2022-08-26
URL: CVE-2022-0225
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 3 Score Details (5.4)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-0225
Release Date: 2022-08-26
Fix Resolution: 16.1.1
CVE-2020-1725
### Vulnerable Library - keycloak-core-5.0.0.jarKeycloak SSO
Library home page: http://www.jboss.org
Path to vulnerable library: /test/fixtures/maven-jars/keycloak-core-5.0.0.jar
Dependency Hierarchy: - :x: **keycloak-core-5.0.0.jar** (Vulnerable Library)
Found in HEAD commit: 7e83e87477e0886cad26f767efdb9ffd90d9fbfe
Found in base branch: main
### Vulnerability DetailsA flaw was found in keycloak before version 13.0.0. In some scenarios a user still has access to a resource after changing the role mappings in Keycloak and after expiration of the previous access token.
Publish Date: 2021-01-28
URL: CVE-2020-1725
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 3 Score Details (5.4)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://issues.redhat.com/browse/KEYCLOAK-16550
Release Date: 2021-01-28
Fix Resolution: 13.0.0
CVE-2021-3754
### Vulnerable Library - keycloak-core-5.0.0.jarKeycloak SSO
Library home page: http://www.jboss.org
Path to vulnerable library: /test/fixtures/maven-jars/keycloak-core-5.0.0.jar
Dependency Hierarchy: - :x: **keycloak-core-5.0.0.jar** (Vulnerable Library)
Found in HEAD commit: 7e83e87477e0886cad26f767efdb9ffd90d9fbfe
Found in base branch: main
### Vulnerability DetailsA flaw was found in keycloak where an attacker is able to register himself with the username same as the email ID of any existing user. This may cause trouble in getting password recovery email in case the user forgets the password.
Publish Date: 2022-08-26
URL: CVE-2021-3754
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-j9xq-j329-2xvg
Release Date: 2022-08-26
Fix Resolution: 19.0.2
CVE-2020-10770
### Vulnerable Library - keycloak-core-5.0.0.jarKeycloak SSO
Library home page: http://www.jboss.org
Path to vulnerable library: /test/fixtures/maven-jars/keycloak-core-5.0.0.jar
Dependency Hierarchy: - :x: **keycloak-core-5.0.0.jar** (Vulnerable Library)
Found in HEAD commit: 7e83e87477e0886cad26f767efdb9ffd90d9fbfe
Found in base branch: main
### Vulnerability DetailsA flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack.
Publish Date: 2020-12-15
URL: CVE-2020-10770
### Threat AssessmentExploit Maturity: High
EPSS: 20.0%
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-jh7q-5mwf-qvhw
Release Date: 2020-12-15
Fix Resolution: org.keycloak:keycloak-core:13.0.0
CVE-2024-7318
### Vulnerable Library - keycloak-core-5.0.0.jarKeycloak SSO
Library home page: http://www.jboss.org
Path to vulnerable library: /test/fixtures/maven-jars/keycloak-core-5.0.0.jar
Dependency Hierarchy: - :x: **keycloak-core-5.0.0.jar** (Vulnerable Library)
Found in HEAD commit: 7e83e87477e0886cad26f767efdb9ffd90d9fbfe
Found in base branch: main
### Vulnerability DetailsA vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute. A one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid.
Publish Date: 2024-09-09
URL: CVE-2024-7318
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 3 Score Details (4.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-57rh-gr4v-j5f6
Release Date: 2024-09-09
Fix Resolution: 25.0.0
CVE-2020-1728
### Vulnerable Library - keycloak-core-5.0.0.jarKeycloak SSO
Library home page: http://www.jboss.org
Path to vulnerable library: /test/fixtures/maven-jars/keycloak-core-5.0.0.jar
Dependency Hierarchy: - :x: **keycloak-core-5.0.0.jar** (Vulnerable Library)
Found in HEAD commit: 7e83e87477e0886cad26f767efdb9ffd90d9fbfe
Found in base branch: main
### Vulnerability DetailsA vulnerability was found in all versions of Keycloak where, the pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses. This does not directly lead to a security issue, yet it might aid attackers in their efforts to exploit other problems. The flaws unnecessarily make the servers more prone to Clickjacking, channel downgrade attacks and other similar client-based attack vectors.
Publish Date: 2020-04-06
URL: CVE-2020-1728
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 3 Score Details (4.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1728
Release Date: 2020-04-06
Fix Resolution: 10.0.0
CVE-2019-3875
### Vulnerable Library - keycloak-core-5.0.0.jarKeycloak SSO
Library home page: http://www.jboss.org
Path to vulnerable library: /test/fixtures/maven-jars/keycloak-core-5.0.0.jar
Dependency Hierarchy: - :x: **keycloak-core-5.0.0.jar** (Vulnerable Library)
Found in HEAD commit: 7e83e87477e0886cad26f767efdb9ffd90d9fbfe
Found in base branch: main
### Vulnerability DetailsA vulnerability was found in keycloak before 6.0.2. The X.509 authenticator supports the verification of client certificates through the CRL, where the CRL list can be obtained from the URL provided in the certificate itself (CDP) or through the separately configured path. The CRL are often available over the network through unsecured protocols ('http' or 'ldap') and hence the caller should verify the signature and possibly the certification path. Keycloak currently doesn't validate signatures on CRL, which can result in a possibility of various attacks like man-in-the-middle.
Publish Date: 2019-06-12
URL: CVE-2019-3875
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 3 Score Details (4.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3875
Release Date: 2019-06-12
Fix Resolution: 6.0.1
CVE-2023-0091
### Vulnerable Library - keycloak-core-5.0.0.jarKeycloak SSO
Library home page: http://www.jboss.org
Path to vulnerable library: /test/fixtures/maven-jars/keycloak-core-5.0.0.jar
Dependency Hierarchy: - :x: **keycloak-core-5.0.0.jar** (Vulnerable Library)
Found in HEAD commit: 7e83e87477e0886cad26f767efdb9ffd90d9fbfe
Found in base branch: main
### Vulnerability DetailsA flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information.
Publish Date: 2023-01-11
URL: CVE-2023-0091
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 3 Score Details (3.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: High - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=2158585
Release Date: 2023-01-11
Fix Resolution: 20.0.3
CVE-2022-2256
### Vulnerable Library - keycloak-core-5.0.0.jarKeycloak SSO
Library home page: http://www.jboss.org
Path to vulnerable library: /test/fixtures/maven-jars/keycloak-core-5.0.0.jar
Dependency Hierarchy: - :x: **keycloak-core-5.0.0.jar** (Vulnerable Library)
Found in HEAD commit: 7e83e87477e0886cad26f767efdb9ffd90d9fbfe
Found in base branch: main
### Vulnerability DetailsA Stored Cross-site scripting (XSS) vulnerability was found in keycloak as shipped in Red Hat Single Sign-On 7. This flaw allows a privileged attacker to execute malicious scripts in the admin console, abusing the default roles functionality.
Publish Date: 2022-09-01
URL: CVE-2022-2256
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 3 Score Details (3.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: High - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-w8v7-c7pm-7wfr
Release Date: 2022-09-01
Fix Resolution: 19.0.2
CVE-2024-1722
### Vulnerable Library - keycloak-core-5.0.0.jarKeycloak SSO
Library home page: http://www.jboss.org
Path to vulnerable library: /test/fixtures/maven-jars/keycloak-core-5.0.0.jar
Dependency Hierarchy: - :x: **keycloak-core-5.0.0.jar** (Vulnerable Library)
Found in HEAD commit: 7e83e87477e0886cad26f767efdb9ffd90d9fbfe
Found in base branch: main
### Vulnerability DetailsA flaw was found in Keycloak. In certain conditions, this issue may allow a remote unauthenticated attacker to block other accounts from logging in.
Publish Date: 2024-02-27
URL: CVE-2024-1722
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.0%
### CVSS 3 Score Details (3.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-1722
Release Date: 2024-02-27
Fix Resolution: 23.0.6