Redhat

Keycloak

185 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
6.5

CVE-2023-1664

  • EPSS 0.25%
  • Veröffentlicht 26.05.2023 18:15:09
  • Zuletzt bearbeitet 15.01.2025 22:15:25

A flaw was found in Keycloak. This flaw depends on a non-default configuration "Revalidate Client Certificate" to be enabled and the reverse proxy is not validating the certificate before Keycloak. Using this method an attacker may choose the certifi...

5.4

CVE-2022-1274

  • EPSS 0.99%
  • Veröffentlicht 29.03.2023 21:15:07
  • Zuletzt bearbeitet 21.11.2024 06:40:23

A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users.

9.1

CVE-2022-3782

  • EPSS 0.17%
  • Veröffentlicht 13.01.2023 06:15:11
  • Zuletzt bearbeitet 09.04.2025 14:15:24

keycloak: path traversal via double URL encoding. A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs...

3.8

CVE-2023-0091

  • EPSS 0.23%
  • Veröffentlicht 13.01.2023 06:15:11
  • Zuletzt bearbeitet 09.04.2025 15:15:56

A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information.

6.5

CVE-2023-0105

  • EPSS 0.2%
  • Veröffentlicht 13.01.2023 06:15:11
  • Zuletzt bearbeitet 09.04.2025 14:15:27

A flaw was found in Keycloak. This flaw allows impersonation and lockout due to the email trust not being handled correctly in Keycloak. An attacker can shadow other users with the same email and lockout or impersonate them.

3.8

CVE-2022-2256

  • EPSS 0.88%
  • Veröffentlicht 01.09.2022 21:15:09
  • Zuletzt bearbeitet 21.11.2024 07:00:37

A Stored Cross-site scripting (XSS) vulnerability was found in keycloak as shipped in Red Hat Single Sign-On 7. This flaw allows a privileged attacker to execute malicious scripts in the admin console, abusing the default roles functionality.

5.4

CVE-2022-0225

Exploit
  • EPSS 0.51%
  • Veröffentlicht 26.08.2022 18:15:08
  • Zuletzt bearbeitet 21.11.2024 06:38:10

A flaw was found in Keycloak. This flaw allows a privileged attacker to use the malicious payload as the group name while creating a new group from the admin console, leading to a stored Cross-site scripting (XSS) attack.

7.5

CVE-2021-3632

  • EPSS 0.5%
  • Veröffentlicht 26.08.2022 16:15:09
  • Zuletzt bearbeitet 21.11.2024 06:22:01

A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow.

5.3

CVE-2021-3754

  • EPSS 12.32%
  • Veröffentlicht 26.08.2022 16:15:09
  • Zuletzt bearbeitet 21.11.2024 06:22:20

A flaw was found in keycloak where an attacker is able to register himself with the username same as the email ID of any existing user. This may cause trouble in getting password recovery email in case the user forgets the password.

4.3

CVE-2021-3856

  • EPSS 0.36%
  • Veröffentlicht 26.08.2022 16:15:09
  • Zuletzt bearbeitet 21.11.2024 06:22:39

ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader. By sending requests for theme resources with a relative path from an external HTTP client, the client will receive the cont...