org.keycloak:keycloak-services@16.1.0 vulnerabilities
-
latest version
24.0.4
-
latest non vulnerable version
-
first published
10 years ago
-
latest version published
21 days ago
-
licenses detected
- [1.0-alpha-1,)
-
package manager
Direct Vulnerabilities
Known vulnerabilities in the org.keycloak:keycloak-services package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.Vulnerability | Vulnerable Version |
---|---|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Input Validation due to improper handling of error messages during the How to fix Improper Input Validation? Upgrade |
[,23.0.5)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Origin Validation Error due to the How to fix Origin Validation Error? Upgrade |
[,24.0.3)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Authentication Bypass due to improper enforcement of token types when validating signatures locally. An authenticated attacker could exchange a logout token for an access token and possibly gain access to data outside of enforced permissions. How to fix Authentication Bypass? Upgrade |
[,24.0.3)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Open Redirect due to an issue in the How to fix Open Redirect? Upgrade |
[,24.0.3)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to including JavaScript URIs in the SAML Assertion Consumer Service POST Binding URL (ACS). An attacker can execute arbitrary scripts in the context of the embedding origin on form submission. How to fix Cross-site Scripting (XSS)? Upgrade |
[,24.0.3)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key due to a permissive regular expression hardcoded for filtering allowed hosts to register a dynamic client. A unauthorized user with enough information about the environment could benefit and jeopardize an environment with this specific Dynamic Client Registration with How to fix Authorization Bypass Through User-Controlled Key? Upgrade |
[,24.0.3)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Missing Critical Step in Authentication in the form of not sufficiently enforcing the second factor in multifactor authentication. A user can register a second factor for a known account, allowing step-up authentication. How to fix Missing Critical Step in Authentication? Upgrade |
[,24.0.3)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Information Exposure due to not properly checking client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information. How to fix Information Exposure? Upgrade |
[0,20.0.3)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Authorization such that the verified state is not reset when the email changes. It is possible for users to shadow others with the same email and lockout or impersonate them. How to fix Improper Authorization? Upgrade |
[,22.0.1)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Open Redirect due to improper validation of redirect URIs using the How to fix Open Redirect? Upgrade |
[,23.0.4)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) via the How to fix Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)? Upgrade |
[,22.0.7)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to LDAP Injection through the How to fix LDAP Injection? Upgrade |
[,23.0.1)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Credential Exposure. When a user registers with the registration flow, the How to fix Credential Exposure? Upgrade |
[,22.0.3)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Certificate Validation for OAuth/OpenID clients. When a Keycloak server is configured to support mTLS authentication for OAuth/OpenID clients, it does not properly verify the client certificate chain. A client with a proper certificate can authorize itself as any other client and, therefore, access data belonging to other clients. How to fix Improper Certificate Validation? Upgrade |
[,21.1.2)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper sanitization of URI-schemes on SAML and OIDC via the How to fix Cross-site Scripting (XSS)? Upgrade |
[,21.1.2)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Authentication Bypass by Spoofing within the Keycloak Device Authorisation Grant due to improper verification of the device code holder.
Exploiting this vulnerability is possible under certain pre-conditions and it allows an attacker to spoof parts of the device flow and use a How to fix Authentication Bypass by Spoofing? Upgrade |
[,21.1.2)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity such that Keycloak's OpenID Connect user authentication was found to incorrectly authenticate requests. An authenticated attacker who could also obtain a certain piece of info from a user request, from a victim within the same realm, can use that data to impersonate the victim and generate new session tokens. How to fix Insufficient Verification of Data Authenticity? Upgrade |
[,21.0.1)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper user-input sanitization in the How to fix Cross-site Scripting (XSS)? Upgrade |
[,21.0.0)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the How to fix Cross-site Scripting (XSS)? Upgrade |
[,20.0.4)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) which allows an admin user impersonating another user to inject code into a submitted HTML entity. How to fix Cross-site Scripting (XSS)? Upgrade |
[0,20.0.5)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Directory Traversal due to not properly validating URLs included in a redirect. An attacker could construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain, or possibly conduct further attacks. How to fix Directory Traversal? Upgrade |
[0,20.0.2)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Exposure of Data Element to Wrong Session when using a client with the How to fix Exposure of Data Element to Wrong Session? Upgrade |
[0,20.0.2)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Access Restriction Bypass due to missing authorization. This allows a client application, holding a valid access token, to exchange tokens for any target client, bypassing the How to fix Access Restriction Bypass? Upgrade |
[,18.0.0)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Authentication. For each SAML client it is possible to send an How to fix Improper Authentication? Upgrade |
[,18.0.0)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to User Impersonation when a malicious user can register himself with a name already registered, and trick admin to grant him extra privileges. How to fix User Impersonation? Upgrade |
[,18.0.0)
|