org.keycloak:keycloak-services@16.1.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.keycloak:keycloak-services package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
URL Redirection to Untrusted Site ('Open Redirect')

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to URL Redirection to Untrusted Site ('Open Redirect') due to a misconfiguration flaw in the validation of redirect URIs. An attacker can redirect users to an arbitrary URL and potentially expose sensitive information such as authorization codes, leading to session hijacking.

Note: This is only exploitable if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1.

How to fix URL Redirection to Untrusted Site ('Open Redirect')?

Upgrade org.keycloak:keycloak-services to version 22.0.13, 24.0.8, 25.0.6 or higher.

[,22.0.13) [23.0.0,24.0.8) [25.0.0,25.0.6)
  • M
Open Redirect

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Open Redirect via the referrer and referrer_uri parameters. This allows an attacker who can convince an admin user to follow a malicious link - which may be further obfuscated by means such as URL encoding - to be redirected to a malicious location.

How to fix Open Redirect?

Upgrade org.keycloak:keycloak-services to version 25.0.0 or higher.

[,25.0.0)
  • M
Improper Enforcement of a Single, Unique Action

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Enforcement of a Single, Unique Action allowing an attacker to bypass brute force protection mechanisms by initiating multiple login requests simultaneously, thus exceeding the configured limits for failed attempts, before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.

Note: This is only exploitable if Keycloak is configured with Brute Force Protection.

How to fix Improper Enforcement of a Single, Unique Action?

Upgrade org.keycloak:keycloak-services to version 24.0.3 or higher.

[,24.0.3)
  • M
Improper Authentication

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Authentication due to improper handling of session management during the re-authentication process. An attacker can hijack an active session by exploiting the flawed re-authentication mechanism.

How to fix Improper Authentication?

Upgrade org.keycloak:keycloak-services to version 22.0.10, 24.0.3 or higher.

[,22.0.10) [23.0.0,24.0.3)
  • L
Overly Restrictive Account Lockout Mechanism

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Overly Restrictive Account Lockout Mechanism due to a flaw in the account lockout mechanism. This issue may allow a remote unauthenticated attacker to prevent legitimate users from accessing their accounts by exploiting the account lockout functionality.

Note:

This is only exploitable if the realm is configured to use "User (Self) registration", the user registers with a username in email format, and the attacker discovers a valid email address for an account.

How to fix Overly Restrictive Account Lockout Mechanism?

Upgrade org.keycloak:keycloak-services to version 24.0.0 or higher.

[,24.0.0)
  • L
Always-Incorrect Control Flow Implementation

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation where an attacker is able to register himself with the username same as the email ID of any existing user. This may cause trouble in getting password recovery email in case the user forgets the password.

How to fix Always-Incorrect Control Flow Implementation?

Upgrade org.keycloak:keycloak-services to version 24.0.0 or higher.

[,24.0.0)
  • L
Cross-Site Request Forgery (CSRF)

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF) due to the lack of a unique token sent during the authentication POST request, /login-actions/authenticate. This flaw allows an attacker to craft a malicious login page and trick a legitimate user of an application into authenticating with an attacker-controlled account instead of their own.

How to fix Cross-Site Request Forgery (CSRF)?

There is no fixed version for org.keycloak:keycloak-services.

[0,)
  • H
Improper Privilege Management

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Privilege Management via the admin REST API endpoints. An attacker with low privileges can perform actions reserved for administrators, potentially leading to data breaches or system compromise by exploiting administrative functionalities without proper authorization.

How to fix Improper Privilege Management?

Upgrade org.keycloak:keycloak-services to version 24.0.5 or higher.

[,24.0.5)
  • M
Insecure Storage of Sensitive Information

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Insecure Storage of Sensitive Information through PAR (Pushed authorization request) clients when using client_secret_post based authentication. This vulnerability derived from client-provided parameters that were included in plain text within the KC_RESTART cookie, which the authorization server returned in its HTTP response to a request_uri authorization request.

To exploit this vulnerability, an attacker needs to intercept the HTTP response from the authorization server, which might result in the disclosure of sensitive information.

Note

If you use OIDC confidential clients together with PAR and use client authentication based on client_id and client_secret sent as parameters in the HTTP request body (method client_secret_post specified in the OIDC specification), it is highly encouraged to rotate your clients' client secrets after upgrading to this version.

How to fix Insecure Storage of Sensitive Information?

Upgrade org.keycloak:keycloak-services to version 24.0.5 or higher.

[,24.0.5)
  • M
Cleartext Storage of Sensitive Information in a Cookie

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Cleartext Storage of Sensitive Information in a Cookie in the OAuth 2.0 Pushed Authorization Requests (PAR) through the KC_RESTART cookie. An attacker can access sensitive client-provided parameters by intercepting HTTP responses from the authorization server.

How to fix Cleartext Storage of Sensitive Information in a Cookie?

Upgrade org.keycloak:keycloak-services to version 24.0.5 or higher.

[7.0.0,24.0.5)
  • M
Improper Input Validation

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Input Validation due to improper handling of error messages during the WebAuthn authentication or registration process. An attacker can inject malicious content into the logs by sending crafted error messages from the browser client during setup or authentication.

How to fix Improper Input Validation?

Upgrade org.keycloak:keycloak-services to version 23.0.5 or higher.

[,23.0.5)
  • H
Origin Validation Error

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Origin Validation Error due to the checkLoginIframe process. An attacker can significantly impact the application's availability by sending millions of requests in seconds using simple code.

How to fix Origin Validation Error?

Upgrade org.keycloak:keycloak-services to version 24.0.3 or higher.

[,24.0.3)
  • M
Authentication Bypass

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Authentication Bypass due to improper enforcement of token types when validating signatures locally. An authenticated attacker could exchange a logout token for an access token and possibly gain access to data outside of enforced permissions.

How to fix Authentication Bypass?

Upgrade org.keycloak:keycloak-services to version 24.0.3 or higher.

[,24.0.3)
  • H
Open Redirect

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Open Redirect due to an issue in the redirect_uri validation logic. By exploiting this vulnerability an attacker is allowed to bypass otherwise explicitly allowed hosts.

How to fix Open Redirect?

Upgrade org.keycloak:keycloak-services to version 24.0.3 or higher.

[,24.0.3)
  • H
Cross-site Scripting (XSS)

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to including JavaScript URIs in the SAML Assertion Consumer Service POST Binding URL (ACS). An attacker can execute arbitrary scripts in the context of the embedding origin on form submission.

How to fix Cross-site Scripting (XSS)?

Upgrade org.keycloak:keycloak-services to version 24.0.3 or higher.

[,24.0.3)
  • M
Authorization Bypass Through User-Controlled Key

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key due to a permissive regular expression hardcoded for filtering allowed hosts to register a dynamic client. A unauthorized user with enough information about the environment could benefit and jeopardize an environment with this specific Dynamic Client Registration with TrustedDomain configuration.

How to fix Authorization Bypass Through User-Controlled Key?

Upgrade org.keycloak:keycloak-services to version 24.0.3 or higher.

[,24.0.3)
  • M
Missing Critical Step in Authentication

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Missing Critical Step in Authentication in the form of not sufficiently enforcing the second factor in multifactor authentication. A user can register a second factor for a known account, allowing step-up authentication.

How to fix Missing Critical Step in Authentication?

Upgrade org.keycloak:keycloak-services to version 22.0.10, 24.0.3 or higher.

[,22.0.10) [23.0.0,24.0.3)
  • L
Information Exposure

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Information Exposure due to not properly checking client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information.

How to fix Information Exposure?

Upgrade org.keycloak:keycloak-services to version 20.0.3 or higher.

[0,20.0.3)
  • M
Improper Authorization

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Authorization such that the verified state is not reset when the email changes. It is possible for users to shadow others with the same email and lockout or impersonate them.

How to fix Improper Authorization?

Upgrade org.keycloak:keycloak-services to version 22.0.1 or higher.

[,22.0.1)
  • M
Open Redirect

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Open Redirect due to improper validation of redirect URIs using the form_post.jwt response mode. An attacker can redirect a user to a malicious site and potentially steal authorization codes or tokens by exploiting the use of a wildcard in the JARM response.

How to fix Open Redirect?

Upgrade org.keycloak:keycloak-services to version 23.0.4 or higher.

[,23.0.4)
  • M
Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) via the OIDC redirect_uri function. An attacker can submit a specially crafted request leading to cross-site scripting or further attacks by appending a wildcard to the token.

How to fix Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)?

Upgrade org.keycloak:keycloak-services to version 22.0.7 or higher.

[,22.0.7)
  • M
LDAP Injection

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to LDAP Injection through the UsernameForm login process due to improper escape of LDAP ID. An attacker can access existing usernames in the server by exploiting an LDAP query.

How to fix LDAP Injection?

Upgrade org.keycloak:keycloak-services to version 23.0.1 or higher.

[,23.0.1)
  • M
Credential Exposure

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Credential Exposure. When a user registers with the registration flow, the password and password-confirm fields from the form are treated as regular attributes. All users and clients with proper rights/roles are able to retrieve the user's passwords in cleartext.

How to fix Credential Exposure?

Upgrade org.keycloak:keycloak-services to version 22.0.3 or higher.

[,22.0.3)
  • H
Improper Certificate Validation

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Certificate Validation for OAuth/OpenID clients. When a Keycloak server is configured to support mTLS authentication for OAuth/OpenID clients, it does not properly verify the client certificate chain. A client with a proper certificate can authorize itself as any other client and, therefore, access data belonging to other clients.

How to fix Improper Certificate Validation?

Upgrade org.keycloak:keycloak-services to version 21.1.2 or higher.

[,21.1.2)
  • M
Cross-site Scripting (XSS)

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper sanitization of URI-schemes on SAML and OIDC via the AssertionConsumerServiceURL implementation. Exploiting this vulnerability is possible by sending a crafted SAML XML request.

How to fix Cross-site Scripting (XSS)?

Upgrade org.keycloak:keycloak-services to version 21.1.2 or higher.

[,21.1.2)
  • L
Authentication Bypass by Spoofing

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Authentication Bypass by Spoofing within the Keycloak Device Authorisation Grant due to improper verification of the device code holder. Exploiting this vulnerability is possible under certain pre-conditions and it allows an attacker to spoof parts of the device flow and use a device_code to retrieve an access token for other OAuth clients.

How to fix Authentication Bypass by Spoofing?

Upgrade org.keycloak:keycloak-services to version 21.1.2 or higher.

[,21.1.2)
  • H
Insufficient Verification of Data Authenticity

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity such that Keycloak's OpenID Connect user authentication was found to incorrectly authenticate requests. An authenticated attacker who could also obtain a certain piece of info from a user request, from a victim within the same realm, can use that data to impersonate the victim and generate new session tokens.

How to fix Insufficient Verification of Data Authenticity?

Upgrade org.keycloak:keycloak-services to version 21.0.1 or higher.

[,21.0.1)
  • M
Cross-site Scripting (XSS)

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper user-input sanitization in the oob OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker.

How to fix Cross-site Scripting (XSS)?

Upgrade org.keycloak:keycloak-services to version 21.0.0 or higher.

[,21.0.0)
  • M
Cross-site Scripting (XSS)

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the execute-actions-email endpoint in the admin REST API. Users can inject HTML into emails sent to other users.

How to fix Cross-site Scripting (XSS)?

Upgrade org.keycloak:keycloak-services to version 20.0.4 or higher.

[,20.0.4)
  • M
Cross-site Scripting (XSS)

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) which allows an admin user impersonating another user to inject code into a submitted HTML entity.

How to fix Cross-site Scripting (XSS)?

Upgrade org.keycloak:keycloak-services to version 20.0.5 or higher.

[0,20.0.5)
  • C
Directory Traversal

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Directory Traversal due to not properly validating URLs included in a redirect. An attacker could construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain, or possibly conduct further attacks.

How to fix Directory Traversal?

Upgrade org.keycloak:keycloak-services to version 20.0.2 or higher.

[0,20.0.2)
  • M
Exposure of Data Element to Wrong Session

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Exposure of Data Element to Wrong Session when using a client with the offline_access scope. Reuse of session ids across root and user authentication sessions and a lack of root session validation enabled attackers to resolve a user session attached to a different previously authenticated user.

How to fix Exposure of Data Element to Wrong Session?

Upgrade org.keycloak:keycloak-services to version 20.0.2 or higher.

[0,20.0.2)
  • M
Access Restriction Bypass

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Access Restriction Bypass due to missing authorization. This allows a client application, holding a valid access token, to exchange tokens for any target client, bypassing the client_id of the target and allowing a client to gain unauthorized access to additional services.

How to fix Access Restriction Bypass?

Upgrade org.keycloak:keycloak-services to version 18.0.0 or higher.

[,18.0.0)
  • M
Improper Authentication

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Authentication. For each SAML client it is possible to send an AuthnRequest message via SOAP with Basic Authorization header and Keycloak will successfully authenticate the user for the client and will not consider the authentication flow applied. The presence of the flow is hidden from the administrator, it is not possible to disable it in the client's configuration similarly as direct grant etc.

How to fix Improper Authentication?

Upgrade org.keycloak:keycloak-services to version 18.0.0 or higher.

[,18.0.0)
  • M
User Impersonation

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to User Impersonation when a malicious user can register himself with a name already registered, and trick admin to grant him extra privileges.

How to fix User Impersonation?

Upgrade org.keycloak:keycloak-services to version 18.0.0 or higher.

[,18.0.0)