Redhat

Keycloak

136 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
5.3

CVE-2021-3754

  • EPSS 11.08%
  • Veröffentlicht 26.08.2022 16:15:09
  • Zuletzt bearbeitet 21.11.2024 06:22:20

A flaw was found in keycloak where an attacker is able to register himself with the username same as the email ID of any existing user. This may cause trouble in getting password recovery email in case the user forgets the password.

4.3

CVE-2021-3856

  • EPSS 0.36%
  • Veröffentlicht 26.08.2022 16:15:09
  • Zuletzt bearbeitet 21.11.2024 06:22:39

ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader. By sending requests for theme resources with a relative path from an external HTTP client, the client will receive the cont...

6.8

CVE-2021-3827

  • EPSS 0.22%
  • Veröffentlicht 23.08.2022 16:15:10
  • Zuletzt bearbeitet 21.11.2024 06:22:33

A flaw was found in keycloak, where the default ECP binding flow allows other authentication flows to be bypassed. By exploiting this behavior, an attacker can bypass the MFA authentication by sending a SOAP request with an AuthnRequest and Authoriza...

5.4

CVE-2020-35509

  • EPSS 0.09%
  • Veröffentlicht 23.08.2022 16:15:08
  • Zuletzt bearbeitet 30.06.2025 21:15:28

A flaw was found in keycloak affecting versions 11.0.3 and 12.0.0. An expired certificate would be accepted by the direct-grant authenticator because of missing time stamp validations. The highest threat from this vulnerability is to data confidentia...

7.5

CVE-2021-3513

  • EPSS 0.2%
  • Veröffentlicht 22.08.2022 15:15:13
  • Zuletzt bearbeitet 21.11.2024 06:21:43

A flaw was found in keycloak where a brute force attack is possible even when the permanent lockout feature is enabled. This is due to a wrong error message displayed when wrong credentials are entered. The highest threat from this vulnerability is t...

7.2

CVE-2022-2668

  • EPSS 0.47%
  • Veröffentlicht 05.08.2022 17:15:08
  • Zuletzt bearbeitet 21.11.2024 07:01:28

An issue was discovered in Keycloak that allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled

9.8

CVE-2022-1245

  • EPSS 0.4%
  • Veröffentlicht 08.07.2022 00:15:07
  • Zuletzt bearbeitet 21.11.2024 06:40:20

A privilege escalation flaw was found in the token exchange feature of keycloak. Missing authorization allows a client application holding a valid access token to exchange tokens for any target client by passing the client_id of the target. This coul...

6.5

CVE-2022-1466

Exploit
  • EPSS 0.16%
  • Veröffentlicht 26.04.2022 19:15:49
  • Zuletzt bearbeitet 21.11.2024 06:40:46

Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted.

7.1

CVE-2021-3461

  • EPSS 0.05%
  • Veröffentlicht 01.04.2022 23:15:10
  • Zuletzt bearbeitet 21.11.2024 06:21:35

A flaw was found in keycloak where keycloak may fail to logout user session if the logout request comes from external SAML identity provider and Principal Type is set to Attribute [Name].

6.1

CVE-2021-20323

  • EPSS 70.08%
  • Veröffentlicht 25.03.2022 19:15:08
  • Zuletzt bearbeitet 21.11.2024 05:46:22

A POST based reflected Cross Site Scripting vulnerability on has been identified in Keycloak.