CVE Daily
← All tags

Tag: Keycloak

All CVEs associated with "Keycloak". Page 2/2 • 230 CVEs.

Subscribe CVEs: RSS for “Keycloak”  ·  RSS (High+Critical only)

About “Keycloak”

A curated feed of “Keycloak”-related CVEs appears below. We currently track 230 CVEs for this tag (all time). In the last 365 days, 87 were published. Average CVSS is 6.1 (all time; 5.6 over 365d), and 32% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-284 - Improper Access Control, CWE-266 - Incorrect Privilege Assignment, CWE-613 - Insufficient Session Expiration.

In our taxonomy this topic maps to a MODERATE impact class. Identity providers govern authentication across the estate. Upgrade, enforce phishing resistant MFA, review audit logs, rotate admin keys, and tighten policies. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2024-04-25
Medium

CVE-2023-6484

A log injection flaw was found in Keycloak. A text string may be injected through the authentication form when using the WebAuthn authentication mode. This issue may have a minor impact to the logs i…

CVSS: 5.3 CWE: CWE-117 - Improper Output Neutralization for Logs View on NVD
Medium

CVE-2023-3597

A flaw was found in Keycloak, where it does not correctly validate its client step-up authentication in org.keycloak.authentication. This flaw allows a remote user authenticated with a password to re…

CVSS: 5.0 CWE: CWE-287 - Improper Authentication View on NVD
2024-04-17
High

CVE-2024-2419

A flaw was found in Keycloak's redirect_uri validation logic. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to the theft of an access token, making…

CVSS: 7.1 CWE: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect') View on NVD
High

CVE-2024-1249

A flaw was found in Keycloak's OIDC component in the "checkLoginIframe," which allows unvalidated cross-origin messages. This flaw allows attackers to coordinate and send millions of requests in seco…

CVSS: 7.4 CWE: CWE-346 - Origin Validation Error View on NVD
High

CVE-2024-1132

A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access othe…

CVSS: 8.1 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2024-02-29
Low

CVE-2024-1722

A flaw was found in Keycloak. In certain conditions, this issue may allow a remote unauthenticated attacker to block other accounts from logging in.

CVSS: 3.7 CWE: CWE-645 - Overly Restrictive Account Lockout Mechanism View on NVD
2024-02-28
Medium

CVE-2024-0560

A vulnerability was found in 3Scale, when used with Keycloak 15 (or RHSSO 7.5.0) and superiors. When the auth_type is use_3scale_oidc_issuer_endpoint, the Token Introspection policy discovers the Tok…

CVSS: 6.3 CWE: CWE-280 - Improper Handling of Insufficient Permissions or Privileges View on NVD
2024-01-26
High

CVE-2023-6291

A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, m…

CVSS: 7.1 CWE: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect') View on NVD
2023-12-23
Medium

CVE-2023-49594

An information disclosure vulnerability exists in the challenge functionality of instipod DuoUniversalKeycloakAuthenticator 1.0.7 plugin. A specially crafted HTTP request can lead to a disclosure of…

CVSS: 4.5 CWE: CWE-201 - Insertion of Sensitive Information Into Sent Data View on NVD
2023-12-21
Low

CVE-2023-2585

Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an a…

CVSS: 3.5 CWE: CWE-358 - Improperly Implemented Security Check for Standard View on NVD
2023-12-18
Medium

CVE-2023-6927

A flaw was found in Keycloak. This issue may allow an attacker to steal authorization codes or tokens from clients using a wildcard in the JARM response mode "form_post.jwt" which could be used to by…

CVSS: 4.6 CWE: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect') View on NVD
2023-12-14
Medium

CVE-2023-6134

A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted requ…

CVSS: 4.6 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2023-6563

An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 sa…

CVSS: 7.7 CWE: CWE-770 - Allocation of Resources Without Limits or Throttling View on NVD
2023-10-04
Medium

CVE-2023-2422

A flaw was found in Keycloak. A Keycloak server configured to support mTLS authentication for OAuth/OpenID clients does not properly verify the client certificate chain. A client that possesses a pro…

CVSS: 5.5 CWE: CWE-295 - Improper Certificate Validation View on NVD
2023-09-25
High

CVE-2022-4137

A reflected cross-site scripting (XSS) vulnerability was found in the 'oob' OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Ke…

CVSS: 8.1 CWE: CWE-81 - Improper Neutralization of Script in an Error Message Web Page View on NVD
2023-09-20
Medium

CVE-2022-3916

A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and…

CVSS: 6.8 CWE: CWE-384 - Session Fixation View on NVD
Medium

CVE-2022-1438

A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability.

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2023-09-12
High

CVE-2023-4918

A flaw was found in the Keycloak package, more specifically org.keycloak.userprofile. When a user registers itself through registration flow, the "password" and "password-confirm" field from the form…

CVSS: 8.8 CWE: CWE-256 - Plaintext Storage of a Password View on NVD
2023-07-07
Critical

CVE-2022-4361

Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the SAML or OIDC providers. The vulnerability can allow an attacker to execute mali…

CVSS: 10.0 CWE: CWE-81 - Improper Neutralization of Script in an Error Message Web Page View on NVD
2023-05-26
Medium

CVE-2023-1664

A flaw was found in Keycloak. This flaw depends on a non-default configuration "Revalidate Client Certificate" to be enabled and the reverse proxy is not validating the certificate before Keycloak. U…

CVSS: 6.5 CWE: CWE-295 - Improper Certificate Validation View on NVD
2023-04-28
High

CVE-2023-1477

Improper Authentication vulnerability in HYPR Keycloak Authenticator Extension allows Authentication Abuse.This issue affects HYPR Keycloak Authenticator Extension: before 7.10.2, before 8.0.3.

CVSS: 7.2 CWE: CWE-287 - Improper Authentication View on NVD
2023-03-29
Medium

CVE-2022-1274

A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other…

CVSS: 5.4 CWE: CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) View on NVD
2023-03-27
Medium

CVE-2022-2237

A flaw was found in the Keycloak Node.js Adapter. This flaw allows an attacker to benefit from an Open Redirect vulnerability in the checkSso function.

CVSS: 6.1 CWE: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect') View on NVD
2023-01-26
Medium

CVE-2023-24457

A cross-site request forgery (CSRF) vulnerability in Jenkins Keycloak Authentication Plugin 2.3.0 and earlier allows attackers to trick users into logging in to the attacker's account.

CVSS: 6.5 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
Critical

CVE-2023-24456

Jenkins Keycloak Authentication Plugin 2.3.0 and earlier does not invalidate the previous session on login.

CVSS: 9.8 CWE: CWE-384 - Session Fixation View on NVD
2023-01-13
Medium

CVE-2023-0105

A flaw was found in Keycloak. This flaw allows impersonation and lockout due to the email trust not being handled correctly in Keycloak. An attacker can shadow other users with the same email and loc…

CVSS: 6.5 CWE: CWE-287 - Improper Authentication View on NVD
Low

CVE-2023-0091

A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensiti…

CVSS: 3.8 CWE: CWE-863 - Incorrect Authorization View on NVD
Critical

CVE-2022-3782

keycloak: path traversal via double URL encoding. A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious…

CVSS: 9.1 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2023-01-11
Medium

CVE-2023-22492

ZITADEL is a combination of Auth0 and Keycloak. RefreshTokens is an OAuth 2.0 feature that allows applications to retrieve new access tokens and refresh the user's session without the need for intera…

CVSS: 5.9 CWE: CWE-613 - Insufficient Session Expiration View on NVD
2022-09-01
Low

CVE-2022-2256

A Stored Cross-site scripting (XSS) vulnerability was found in keycloak as shipped in Red Hat Single Sign-On 7. This flaw allows a privileged attacker to execute malicious scripts in the admin consol…

CVSS: 3.8 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2022-08-31
High

CVE-2022-36051

ZITADEL combines the ease of Auth0 and the versatility of Keycloak.**Actions**, introduced in ZITADEL **1.42.0** on the API and **1.56.0** for Console, is a feature, where users with role.`ORG_OWNER`…

CVSS: 8.7 CWE: CWE-436 - Interpretation Conflict View on NVD
2022-08-26
Medium

CVE-2022-0225

A flaw was found in Keycloak. This flaw allows a privileged attacker to use the malicious payload as the group name while creating a new group from the admin console, leading to a stored Cross-site s…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2021-3754

A flaw was found in keycloak where an attacker is able to register himself with the username same as the email ID of any existing user. This may cause trouble in getting password recovery email in ca…

CVSS: 5.3 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2021-3632

A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less…

CVSS: 7.5 CWE: CWE-287 - Improper Authentication View on NVD
2022-08-23
Medium

CVE-2021-3827

A flaw was found in keycloak, where the default ECP binding flow allows other authentication flows to be bypassed. By exploiting this behavior, an attacker can bypass the MFA authentication by sendin…

CVSS: 6.8 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2020-35509

A flaw was found in keycloak affecting versions 11.0.3 and 12.0.0. An expired certificate would be accepted by the direct-grant authenticator because of missing time stamp validations. The highest th…

CVSS: 5.4 CWE: CWE-20 - Improper Input Validation View on NVD
2022-08-22
High

CVE-2021-3513

A flaw was found in keycloak where a brute force attack is possible even when the permanent lockout feature is enabled. This is due to a wrong error message displayed when wrong credentials are enter…

CVSS: 7.5 CWE: CWE-522 - Insufficiently Protected Credentials View on NVD
2022-08-05
High

CVE-2022-2668

An issue was discovered in Keycloak that allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled

CVSS: 7.2 CWE: N/A View on NVD
2022-07-08
Critical

CVE-2022-1245

A privilege escalation flaw was found in the token exchange feature of keycloak. Missing authorization allows a client application holding a valid access token to exchange tokens for any target clien…

CVSS: 9.8 CWE: CWE-862 - Missing Authorization View on NVD
2022-04-01
High

CVE-2021-3461

A flaw was found in keycloak where keycloak may fail to logout user session if the logout request comes from external SAML identity provider and Principal Type is set to Attribute [Name].

CVSS: 7.1 CWE: CWE-613 - Insufficient Session Expiration View on NVD
2022-03-25
Medium

CVE-2021-20323

A POST based reflected Cross Site Scripting vulnerability on has been identified in Keycloak.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2022-03-16
Medium

CVE-2022-27225

Gradle Enterprise before 2021.4.3 relies on cleartext data transmission in some situations. It uses Keycloak for identity management services. During the sign-in process, Keycloak sets browser cookie…

CVSS: 6.5 CWE: CWE-311 - Missing Encryption of Sensitive Data View on NVD
2022-01-25
High

CVE-2021-4133

A flaw was found in Keycloak in versions from 12.0.0 and before 15.1.1 which allows an attacker with any existing user account to create new default user accounts via the administrative REST API even…

CVSS: 8.8 CWE: CWE-863 - Incorrect Authorization View on NVD
2021-07-09
High

CVE-2021-3637

A flaw was found in keycloak-model-infinispan in keycloak versions before 14.0.0 where authenticationSessions map in RootAuthenticationSessionEntity grows boundlessly which could lead to a DoS attack.

CVSS: 7.5 CWE: CWE-770 - Allocation of Resources Without Limits or Throttling View on NVD
2021-06-01
Medium

CVE-2021-3424

A flaw was found in keycloak as shipped in Red Hat Single Sign-On 7.4 where IDN homograph attacks are possible. A malicious user can register himself with a name already registered and trick admin to…

CVSS: 5.3 CWE: CWE-287 - Improper Authentication View on NVD
2021-05-28
Critical

CVE-2021-20195

A flaw was found in keycloak in versions before 13.0.0. A Self Stored XSS attack vector escalating to a complete account takeover is possible due to user-supplied data fields not being properly encod…

CVSS: 9.6 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2020-27826

A flaw was found in Keycloak before version 12.0.0 where it is possible to update the user's metadata attributes using Account REST API. This flaw allows an attacker to change its own NameID attribut…

CVSS: 4.2 CWE: CWE-250 - Execution with Unnecessary Privileges View on NVD
2021-05-12
High

CVE-2021-20202

A flaw was found in keycloak. Directories can be created prior to the Java process creating them in the temporary directory, but with wider user permissions, allowing the attacker to have access to t…

CVSS: 7.3 CWE: CWE-377 - Insecure Temporary File View on NVD
2021-03-23
High

CVE-2021-20222

A flaw was found in keycloak. The new account console in keycloak can allow malicious code to be executed using the referrer URL. The highest threat from this vulnerability is to data confidentiality…

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD
2021-03-18
High

CVE-2021-3141

In Unisys Stealth (core) before 6.0.025.0, the Keycloak password is stored in a recoverable format that might be accessible by a local attacker, who could gain access to the Management Server and cha…

CVSS: 7.8 CWE: CWE-522 - Insufficiently Protected Credentials View on NVD
2021-03-09
Medium

CVE-2021-20262

A flaw was found in Keycloak 12.0.0 where re-authentication does not occur while updating the password. This flaw allows an attacker to take over an account if they can obtain temporary, physical acc…

CVSS: 6.8 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
2021-03-08
Medium

CVE-2020-27838

A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be…

CVSS: 6.5 CWE: CWE-287 - Improper Authentication View on NVD
2021-02-23
High

CVE-2020-14359

A vulnerability was found in all versions of Keycloak Gatekeeper, where on using lower case HTTP headers (via cURL) an attacker can bypass our Gatekeeper. Lower case headers are also accepted by some…

CVSS: 7.3 CWE: CWE-305 - Authentication Bypass by Primary Weakness View on NVD
2021-02-11
Low

CVE-2020-1717

A flaw was found in Keycloak 7.0.1. A logged in user can do an account email enumeration attack.

CVSS: 2.7 CWE: CWE-209 - Generation of Error Message Containing Sensitive Information View on NVD
Low

CVE-2020-10734

A vulnerability was found in keycloak in the way that the OIDC logout endpoint does not have CSRF protection. Versions shipped with Red Hat Fuse 7, Red Hat Single Sign-on 7, and Red Hat Openshift App…

CVSS: 3.3 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
2021-01-28
Medium

CVE-2020-1725

A flaw was found in keycloak before version 13.0.0. In some scenarios a user still has access to a resource after changing the role mappings in Keycloak and after expiration of the previous access to…

CVSS: 5.4 CWE: CWE-863 - Incorrect Authorization View on NVD
Medium

CVE-2020-1723

A flaw was found in Keycloak Gatekeeper (Louketo). The logout endpoint can be abused to redirect logged-in users to arbitrary web pages. Affected versions of Keycloak Gatekeeper (Louketo): 6.0.1, 7.0…

CVSS: 6.1 CWE: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect') View on NVD
2020-12-15
Medium

CVE-2020-14302

A flaw was found in Keycloak before 13.0.0 where an external identity provider, after successful authentication, redirects to a Keycloak endpoint that accepts multiple invocations with the use of the…

CVSS: 4.9 CWE: CWE-294 - Authentication Bypass by Capture-replay View on NVD
Medium

CVE-2020-10770

A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this param…

CVSS: 5.3 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
2020-11-17
High

CVE-2020-14389

It was found that Keycloak before version 12.0.0 would permit a user with only view-profile role to manage the resources in the new account console, allowing access and modification of data the user…

CVSS: 8.1 CWE: CWE-916 - Use of Password Hash With Insufficient Computational Effort View on NVD
Medium

CVE-2020-10776

A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack.

CVSS: 4.8 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2020-11-09
Medium

CVE-2020-14366

A vulnerability was found in keycloak, where path traversal using URL-encoded path segments in the request is possible because the resources endpoint applies a transformation of the url path to the f…

CVSS: 6.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2020-09-16
Medium

CVE-2020-1694

A flaw was found in all versions of Keycloak before 10.0.0, where the NodeJS adapter did not support the verify-token-audience. This flaw results in some users having access to sensitive information…

CVSS: 4.9 CWE: CWE-183 - Permissive List of Allowed Inputs View on NVD
Medium

CVE-2020-10748

A flaw was found in Keycloak's data filter, in version 10.0.1, where it allowed the processing of data URLs in some circumstances. This flaw allows an attacker to conduct cross-site scripting or furt…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2020-10758

A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the specified keycloak server, all with a Content-Length header value tha…

CVSS: 7.5 CWE: CWE-770 - Allocation of Resources Without Limits or Throttling View on NVD
2020-06-22
Medium

CVE-2020-1727

A vulnerability was found in Keycloak before 9.0.2, where every Authorization URL that points to an IDP server lacks proper input validation as it allows a wide range of characters. This flaw allows…

CVSS: 6.4 CWE: CWE-20 - Improper Input Validation View on NVD
2020-05-15
Medium

CVE-2020-1758

A flaw was found in Keycloak in versions before 10.0.0, where it does not perform the TLS hostname verification while sending emails using the SMTP server. This flaw allows an attacker to perform a m…

CVSS: 5.3 CWE: CWE-297 - Improper Validation of Certificate with Host Mismatch View on NVD
2020-05-13
High

CVE-2020-1714

A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Ob…

CVSS: 8.8 CWE: CWE-20 - Improper Input Validation View on NVD
2020-05-12
High

CVE-2020-1718

A flaw was found in the reset credential flow in all Keycloak versions before 8.0.0. This flaw allows an attacker to gain unauthorized access to the application.

CVSS: 7.1 CWE: CWE-287 - Improper Authentication View on NVD
2020-05-11
Medium

CVE-2020-1724

A flaw was found in Keycloak in versions before 9.0.2. This flaw allows a malicious user that is currently logged in, to see the personal information of a previously logged out user in the account ma…

CVSS: 4.3 CWE: CWE-613 - Insufficient Session Expiration View on NVD
Medium

CVE-2020-1698

A flaw was found in keycloak in versions before 9.0.0. A logged exception in the HttpMethod class may leak the password given as parameter. The highest threat from this vulnerability is to data confi…

CVSS: 5.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2020-05-08
Medium

CVE-2019-10170

A flaw was found in the Keycloak admin console, where the realm management interface permits a script to be set via the policy. This flaw allows an attacker with authenticated user and realm manageme…

CVSS: 6.6 CWE: CWE-267 - Privilege Defined With Unsafe Actions View on NVD
Medium

CVE-2019-10169

A flaw was found in Keycloak’s user-managed access interface, where it would permit a script to be set in the UMA policy. This flaw allows an authenticated attacker with UMA permissions to configure…

CVSS: 6.6 CWE: CWE-267 - Privilege Defined With Unsafe Actions View on NVD
2020-05-04
Medium

CVE-2020-10686

A flaw was found in Keycloak version 8.0.2 and 9.0.0, and was fixed in Keycloak version 9.0.1, where a malicious user registers as oneself. The attacker could then use the remove devices form to post…

CVSS: 4.1 CWE: CWE-285 - Improper Authorization View on NVD
2020-04-06
Medium

CVE-2020-1728

A vulnerability was found in all versions of Keycloak where, the pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses. This does n…

CVSS: 4.8 CWE: CWE-358 - Improperly Implemented Security Check for Standard View on NVD
2020-03-24
Medium

CVE-2020-1744

A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the b…

CVSS: 5.6 CWE: CWE-755 - Improper Handling of Exceptional Conditions View on NVD
2020-03-02
Critical

CVE-2020-1731

A flaw was found in all versions of the Keycloak operator, before version 8.0.2,(community only) where the operator generates a random admin password when installing Keycloak, however the password re…

CVSS: 9.1 CWE: CWE-341 - Predictable from Observable State View on NVD
2020-02-10
Medium

CVE-2020-1697

It was found in all keycloak versions before 9.0.0 that links to external applications (Application Links) in the admin console are not validated properly and could allow Stored XSS attacks. An authe…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2020-01-08
Medium

CVE-2019-14820

It was found that keycloak before version 8.0.0 exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be invoked via a specially-crafted URL. This vulnerability cou…

CVSS: 4.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2019-12-15
Medium

CVE-2014-3652

JBoss KeyCloak: Open redirect vulnerability via failure to validate the redirect URL.

CVSS: 6.1 CWE: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect') View on NVD
2019-12-10
Medium

CVE-2014-3656

JBoss KeyCloak: XSS in login-status-iframe.html

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2019-12-05
Critical

CVE-2019-14910

A vulnerability was found in keycloak 7.x, when keycloak is configured with LDAP user federation and StartTLS is used instead of SSL/TLS from the LDAP server (ldaps), in this case user authentication…

CVSS: 9.8 CWE: CWE-287 - Improper Authentication View on NVD
2019-12-04
High

CVE-2019-14909

A vulnerability was found in Keycloak 7.x where the user federation LDAP bind type is none (LDAP anonymous bind), any password, invalid or valid will be accepted.

CVSS: 8.3 CWE: CWE-287 - Improper Authentication View on NVD
2019-11-13
Medium

CVE-2014-3655

JBoss KeyCloak is vulnerable to soft token deletion via CSRF

CVSS: 4.3 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
2019-10-15
High

CVE-2019-14832

A flaw was found in the Keycloak REST API before version 8.0.0 where it would permit user access from a realm the user was not configured. An authenticated attacker with knowledge of a user id could…

CVSS: 7.5 CWE: CWE-863 - Incorrect Authorization View on NVD
2019-08-14
High

CVE-2019-10201

It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. If an attacker modifies the SAML Response and removes the <Signature> sections, the message…

CVSS: 8.1 CWE: CWE-592 View on NVD
High

CVE-2019-10199

It was found that Keycloak's account console, up to 6.0.1, did not perform adequate header checks in some requests. An attacker could use this flaw to trick an authenticated user into performing oper…

CVSS: 8.8 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
2019-06-12
Medium

CVE-2019-3875

A vulnerability was found in keycloak before 6.0.2. The X.509 authenticator supports the verification of client certificates through the CRL, where the CRL list can be obtained from the URL provided…

CVSS: 6.5 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2019-10157

It was found that Keycloak's Node.js adapter before version 4.8.3 did not properly verify the web token received from the server in its backchannel logout . An attacker with local access could use th…

CVSS: 4.7 CWE: CWE-345 - Insufficient Verification of Data Authenticity View on NVD
2019-04-24
Low

CVE-2019-3868

Keycloak up to version 6.0.0 allows the end user token (access or id token JWT) to be used as the session cookie for browser sessions for OIDC. As a result an attacker with access to service provider…

CVSS: 3.8 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2018-11-30
Medium

CVE-2018-14637

The SAML broker consumer endpoint in Keycloak before version 4.6.0.Final ignores expiration conditions on SAML assertions. An attacker can exploit this vulnerability to perform a replay attack.

CVSS: 6.1 CWE: CWE-285 - Improper Authorization View on NVD
2018-11-13
Medium

CVE-2018-14658

A flaw was found in JBOSS Keycloak 3.2.1.Final. The Redirect URL for both Login and Logout are not normalized in org.keycloak.protocol.oidc.utils.RedirectUtils before the redirect url is verified. Th…

CVSS: 6.1 CWE: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect') View on NVD
High

CVE-2018-14657

A flaw was found in Keycloak 4.2.1.Final, 4.3.0.Final. When TOPT enabled, an improper implementation of the Brute Force detection algorithm will not enforce its protection measures.

CVSS: 8.1 CWE: CWE-307 - Improper Restriction of Excessive Authentication Attempts View on NVD
Medium

CVE-2018-14655

A flaw was found in Keycloak 3.4.3.Final, 4.0.0.Beta2, 4.3.0.Final. When using 'response_mode=form_post' it is possible to inject arbitrary Javascript-Code via the 'state'-parameter in the authentica…

CVSS: 4.6 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2018-08-01
Medium

CVE-2018-10894

It was found that SAML authentication in Keycloak 3.4.3.Final incorrectly authenticated expired certificates. A malicious user could use this to access unauthorized data or possibly conduct further a…

CVSS: 5.4 CWE: CWE-345 - Insufficient Verification of Data Authenticity View on NVD
Low

CVE-2016-8609

It was found that the keycloak before 2.3.0 did not implement authentication flow correctly. An attacker could use this flaw to construct a phishing URL, from which he could hijack the user's session…

CVSS: 3.7 CWE: CWE-384 - Session Fixation View on NVD
2018-07-27
High

CVE-2017-2646

It was found that when Keycloak before 2.5.5 receives a Logout request with a Extensions in the middle of the request, the SAMLSloRequestParser.parse() method ends in a infinite loop. An attacker cou…

CVSS: 7.5 CWE: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop') View on NVD
2018-07-26
Medium

CVE-2017-2582

It was found that while parsing the SAML messages the StaxParserUtil class of keycloak before 2.5.1 replaces special strings for obtaining attribute values with system property. This could allow an a…

CVSS: 6.5 CWE: CWE-201 - Insertion of Sensitive Information Into Sent Data View on NVD
2018-07-23
Medium

CVE-2018-10912

keycloak before version 4.0.0.final is vulnerable to a infinite loop in session replacement. A Keycloak cluster with multiple nodes could mishandle an expired session replacement and lead to an infin…

CVSS: 4.9 CWE: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop') View on NVD
2018-03-12
Medium

CVE-2017-2585

Red Hat Keycloak before version 2.5.1 has an implementation of HMAC verification for JWS tokens that uses a method that runs in non-constant time, potentially leaving the application vulnerable to ti…

CVSS: 5.9 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2016-8629

Red Hat Keycloak before version 2.4.0 did not correctly check permissions when handling service account user deletion requests sent to the rest server. An attacker with service account authentication…

CVSS: 6.5 CWE: CWE-284 - Improper Access Control View on NVD
2018-02-21
High

CVE-2017-12161

It was found that keycloak before 3.4.2 final would permit misuse of a client-side /etc/hosts entry to spoof a URL in a password reset request. An attacker could use this flaw to craft a malicious pa…

CVSS: 8.8 CWE: CWE-602 - Client-Side Enforcement of Server-Side Security View on NVD
2018-01-20
High

CVE-2017-15112

keycloak-httpd-client-install versions before 0.8 allow users to insecurely pass password through command line, leaking it via command history and process info to other local users.

CVSS: 7.8 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2017-15111

keycloak-httpd-client-install versions before 0.8 insecurely creates temporary file allowing local attackers to overwrite other files via symbolic link.

CVSS: 5.5 CWE: CWE-377 - Insecure Temporary File View on NVD
2017-12-29
High

CVE-2014-3651

JBoss KeyCloak before 1.0.3.Final allows remote attackers to cause a denial of service (resource consumption) via a large value in the size parameter to auth/qrcode, related to QR code generation.

CVSS: 7.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2017-10-26
High

CVE-2017-12160

It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission re…

CVSS: 7.2 CWE: CWE-285 - Improper Authorization View on NVD
High

CVE-2017-12159

It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible…

CVSS: 7.5 CWE: CWE-613 - Insufficient Session Expiration View on NVD
Medium

CVE-2017-12158

It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain…

CVSS: 5.4 CWE: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') View on NVD
2017-10-18
High

CVE-2014-3709

The org.keycloak.services.resources.SocialResource.callback method in JBoss KeyCloak before 1.0.3.Final allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging lack…

CVSS: 8.8 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
2017-05-12
Critical

CVE-2017-7474

It was found that the Keycloak Node.js adapter 2.5 - 3.0 did not handle invalid tokens correctly. An attacker could use this flaw to bypass authentication and gain access to restricted information,…

CVSS: 9.8 CWE: CWE-253 - Incorrect Check of Function Return Value View on NVD