Redhat

Keycloak

128 vulnerabilities found.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
4

CVE-2020-1717

  • EPSS 0.18%
  • Published 11.02.2021 18:15:14
  • Last modified 21.11.2024 05:11:13

A flaw was found in Keycloak 7.0.1. A logged in user can do an account email enumeration attack.

3.3

CVE-2020-10734

  • EPSS 0.02%
  • Published 11.02.2021 18:15:13
  • Last modified 21.11.2024 04:55:57

A vulnerability was found in keycloak in the way that the OIDC logout endpoint does not have CSRF protection. Versions shipped with Red Hat Fuse 7, Red Hat Single Sign-on 7, and Red Hat Openshift Application Runtimes are believed to be vulnerable.

5.5

CVE-2020-1725

  • EPSS 0.12%
  • Published 28.01.2021 20:15:12
  • Last modified 21.11.2024 05:11:14

A flaw was found in keycloak before version 13.0.0. In some scenarios a user still has access to a resource after changing the role mappings in Keycloak and after expiration of the previous access token.

4.9

CVE-2020-14302

  • EPSS 0.15%
  • Published 15.12.2020 20:15:15
  • Last modified 21.11.2024 05:02:57

A flaw was found in Keycloak before 13.0.0 where an external identity provider, after successful authentication, redirects to a Keycloak endpoint that accepts multiple invocations with the use of the same "state" parameter. This flaw allows a malicio...

5.3

CVE-2020-10770

Exploit
  • EPSS 92.28%
  • Published 15.12.2020 20:15:14
  • Last modified 21.11.2024 04:56:02

A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF...

8.1

CVE-2020-14389

  • EPSS 0.15%
  • Published 17.11.2020 02:15:13
  • Last modified 21.11.2024 05:03:09

It was found that Keycloak before version 12.0.0 would permit a user with only view-profile role to manage the resources in the new account console, allowing access and modification of data the user was not intended to have.

4.8

CVE-2020-10776

  • EPSS 0.27%
  • Published 17.11.2020 02:15:11
  • Last modified 21.11.2024 04:56:02

A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack.

7.5

CVE-2020-14366

  • EPSS 0.38%
  • Published 09.11.2020 17:15:12
  • Last modified 21.11.2024 05:03:06

A vulnerability was found in keycloak, where path traversal using URL-encoded path segments in the request is possible because the resources endpoint applies a transformation of the url path to the file path. Only few specific folder hierarchies can ...

4.9

CVE-2020-1694

  • EPSS 0.28%
  • Published 16.09.2020 19:15:13
  • Last modified 21.11.2024 05:11:11

A flaw was found in all versions of Keycloak before 10.0.0, where the NodeJS adapter did not support the verify-token-audience. This flaw results in some users having access to sensitive information outside of their permissions.

6.1

CVE-2020-10748

  • EPSS 0.39%
  • Published 16.09.2020 18:15:12
  • Last modified 21.11.2024 04:55:59

A flaw was found in Keycloak's data filter, in version 10.0.1, where it allowed the processing of data URLs in some circumstances. This flaw allows an attacker to conduct cross-site scripting or further attacks.