Redhat

Single Sign-on

103 vulnerabilities found.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
5.3

CVE-2023-6484

  • EPSS 0.39%
  • Published 25.04.2024 16:15:09
  • Last modified 21.11.2024 08:43:56

A log injection flaw was found in Keycloak. A text string may be injected through the authentication form when using the WebAuthn authentication mode. This issue may have a minor impact to the logs integrity.

8.1

CVE-2024-1132

  • EPSS 0.24%
  • Published 17.04.2024 14:15:07
  • Last modified 30.06.2025 13:58:57

A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain ...

7.5

CVE-2024-1635

  • EPSS 8.33%
  • Published 19.02.2024 22:15:48
  • Last modified 07.05.2025 12:27:53

A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious user opens and closes a connection with the HTTP port of the server and then closes the connection immedia...

7.1

CVE-2023-6291

  • EPSS 0.2%
  • Published 26.01.2024 15:15:08
  • Last modified 21.11.2024 08:43:32

A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate o...

8.1

CVE-2023-2585

  • EPSS 0.11%
  • Published 21.12.2023 10:15:34
  • Last modified 21.11.2024 07:58:52

Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an authorization admin into granting consent to a malic...

6.1

CVE-2023-6927

  • EPSS 0.56%
  • Published 18.12.2023 23:15:10
  • Last modified 21.11.2024 08:44:51

A flaw was found in Keycloak. This issue may allow an attacker to steal authorization codes or tokens from clients using a wildcard in the JARM response mode "form_post.jwt" which could be used to bypass the security patch implemented to address CVE-...

5.9

CVE-2023-48795

Media report Exploit
  • EPSS 64.06%
  • Published 18.12.2023 16:15:10
  • Last modified 29.09.2025 21:56:10

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client a...

5.4

CVE-2023-6134

Exploit
  • EPSS 1.41%
  • Published 14.12.2023 22:15:44
  • Last modified 21.11.2024 08:43:12

A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or furthe...

7.7

CVE-2023-6563

Exploit
  • EPSS 0.3%
  • Published 14.12.2023 18:15:45
  • Last modified 21.11.2024 08:44:06

An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more u...

7.5

CVE-2023-5379

  • EPSS 0.23%
  • Published 12.12.2023 22:15:22
  • Last modified 21.11.2024 08:41:39

A flaw was found in Undertow. When an AJP request is sent that exceeds the max-header-size attribute in ajp-listener, JBoss EAP is marked in an error state by mod_cluster in httpd, causing JBoss EAP to close the TCP connection without returning an AJ...