Redhat

Keycloak

128 vulnerabilities found.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
6.8

CVE-2022-3916

  • EPSS 0.23%
  • Published 20.09.2023 15:15:11
  • Last modified 21.11.2024 07:20:31

A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user auth...

4.8

CVE-2022-1438

  • EPSS 0.15%
  • Published 20.09.2023 14:15:12
  • Last modified 21.11.2024 06:40:44

A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability.

8.8

CVE-2023-4918

  • EPSS 0.08%
  • Published 12.09.2023 20:15:10
  • Last modified 21.11.2024 08:36:15

A flaw was found in the Keycloak package, more specifically org.keycloak.userprofile. When a user registers itself through registration flow, the "password" and "password-confirm" field from the form will occur as regular user attributes. All users a...

5

CVE-2023-0264

  • EPSS 3.94%
  • Published 04.08.2023 18:15:11
  • Last modified 21.11.2024 07:36:51

A flaw was found in Keycloaks OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the vic...

6.1

CVE-2022-4361

  • EPSS 0.31%
  • Published 07.07.2023 20:15:09
  • Last modified 21.11.2024 07:35:08

Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the SAML or OIDC providers. The vulnerability can allow an attacker to execute malicious scripts by setting the AssertionConsumerServi...

6.5

CVE-2023-1664

  • EPSS 0.24%
  • Published 26.05.2023 18:15:09
  • Last modified 15.01.2025 22:15:25

A flaw was found in Keycloak. This flaw depends on a non-default configuration "Revalidate Client Certificate" to be enabled and the reverse proxy is not validating the certificate before Keycloak. Using this method an attacker may choose the certifi...

5.4

CVE-2022-1274

  • EPSS 0.67%
  • Published 29.03.2023 21:15:07
  • Last modified 21.11.2024 06:40:23

A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users.

9.1

CVE-2022-3782

  • EPSS 0.1%
  • Published 13.01.2023 06:15:11
  • Last modified 09.04.2025 14:15:24

keycloak: path traversal via double URL encoding. A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs...

3.8

CVE-2023-0091

  • EPSS 0.08%
  • Published 13.01.2023 06:15:11
  • Last modified 09.04.2025 15:15:56

A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information.

6.5

CVE-2023-0105

  • EPSS 0.1%
  • Published 13.01.2023 06:15:11
  • Last modified 09.04.2025 14:15:27

A flaw was found in Keycloak. This flaw allows impersonation and lockout due to the email trust not being handled correctly in Keycloak. An attacker can shadow other users with the same email and lockout or impersonate them.