org.keycloak:keycloak-services@16.1.0 vulnerabilities

latest version

25.0.4
first published

11 years ago
latest version published

a month ago
licenses detected
- Apache-2.0
  [1.0-alpha-1,)
package manager

View on Maven Repository

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.keycloak:keycloak-services package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
H URL Redirection to Untrusted Site ('Open Redirect') org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to URL Redirection to Untrusted Site ('Open Redirect') due to a misconfiguration flaw in the validation of redirect URIs. An attacker can redirect users to an arbitrary URL and potentially expose sensitive information such as authorization codes, leading to session hijacking. Note: This is only exploitable if a 'Valid Redirect URI' is set to `http://localhost` or `http://127.0.0.1`. How to fix URL Redirection to Untrusted Site ('Open Redirect')? Upgrade `org.keycloak:keycloak-services` to version 22.0.13, 24.0.8, 25.0.6 or higher.	[,22.0.13) [23.0.0,24.0.8) [25.0.0,25.0.6)
M Open Redirect org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Open Redirect via the `referrer` and `referrer_uri` parameters. This allows an attacker who can convince an admin user to follow a malicious link - which may be further obfuscated by means such as URL encoding - to be redirected to a malicious location. How to fix Open Redirect? Upgrade `org.keycloak:keycloak-services` to version 25.0.0 or higher.	[,25.0.0)
M Improper Enforcement of a Single, Unique Action org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Enforcement of a Single, Unique Action allowing an attacker to bypass brute force protection mechanisms by initiating multiple login requests simultaneously, thus exceeding the configured limits for failed attempts, before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems. Note: This is only exploitable if Keycloak is configured with Brute Force Protection. How to fix Improper Enforcement of a Single, Unique Action? Upgrade `org.keycloak:keycloak-services` to version 24.0.3 or higher.	[,24.0.3)
M Improper Authentication org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Authentication due to improper handling of session management during the re-authentication process. An attacker can hijack an active session by exploiting the flawed re-authentication mechanism. How to fix Improper Authentication? Upgrade `org.keycloak:keycloak-services` to version 22.0.10, 24.0.3 or higher.	[,22.0.10) [23.0.0,24.0.3)
L Overly Restrictive Account Lockout Mechanism org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Overly Restrictive Account Lockout Mechanism due to a flaw in the account lockout mechanism. This issue may allow a remote unauthenticated attacker to prevent legitimate users from accessing their accounts by exploiting the account lockout functionality. Note: This is only exploitable if the realm is configured to use "User (Self) registration", the user registers with a username in email format, and the attacker discovers a valid email address for an account. How to fix Overly Restrictive Account Lockout Mechanism? Upgrade `org.keycloak:keycloak-services` to version 24.0.0 or higher.	[,24.0.0)
L Always-Incorrect Control Flow Implementation org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation where an attacker is able to register himself with the username same as the email ID of any existing user. This may cause trouble in getting password recovery email in case the user forgets the password. How to fix Always-Incorrect Control Flow Implementation? Upgrade `org.keycloak:keycloak-services` to version 24.0.0 or higher.	[,24.0.0)
L Cross-Site Request Forgery (CSRF) org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF) due to the lack of a unique token sent during the authentication POST request, `/login-actions/authenticate`. This flaw allows an attacker to craft a malicious login page and trick a legitimate user of an application into authenticating with an attacker-controlled account instead of their own. How to fix Cross-Site Request Forgery (CSRF)? There is no fixed version for `org.keycloak:keycloak-services`.	[0,)
H Improper Privilege Management org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Privilege Management via the admin REST API endpoints. An attacker with low privileges can perform actions reserved for administrators, potentially leading to data breaches or system compromise by exploiting administrative functionalities without proper authorization. How to fix Improper Privilege Management? Upgrade `org.keycloak:keycloak-services` to version 24.0.5 or higher.	[,24.0.5)
M Insecure Storage of Sensitive Information org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Insecure Storage of Sensitive Information through PAR (Pushed authorization request) clients when using `client_secret_post` based authentication. This vulnerability derived from client-provided parameters that were included in plain text within the `KC_RESTART` cookie, which the authorization server returned in its HTTP response to a `request_uri` authorization request. To exploit this vulnerability, an attacker needs to intercept the HTTP response from the authorization server, which might result in the disclosure of sensitive information. Note If you use OIDC confidential clients together with PAR and use client authentication based on `client_id` and `client_secret` sent as parameters in the HTTP request body (method `client_secret_post` specified in the OIDC specification), it is highly encouraged to rotate your clients' client secrets after upgrading to this version. How to fix Insecure Storage of Sensitive Information? Upgrade `org.keycloak:keycloak-services` to version 24.0.5 or higher.	[,24.0.5)
M Cleartext Storage of Sensitive Information in a Cookie org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Cleartext Storage of Sensitive Information in a Cookie in the OAuth 2.0 Pushed Authorization Requests (PAR) through the `KC_RESTART` cookie. An attacker can access sensitive client-provided parameters by intercepting HTTP responses from the authorization server. How to fix Cleartext Storage of Sensitive Information in a Cookie? Upgrade `org.keycloak:keycloak-services` to version 24.0.5 or higher.	[7.0.0,24.0.5)
M Improper Input Validation org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Input Validation due to improper handling of error messages during the `WebAuthn` authentication or registration process. An attacker can inject malicious content into the logs by sending crafted error messages from the browser client during setup or authentication. How to fix Improper Input Validation? Upgrade `org.keycloak:keycloak-services` to version 23.0.5 or higher.	[,23.0.5)
H Origin Validation Error org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Origin Validation Error due to the `checkLoginIframe` process. An attacker can significantly impact the application's availability by sending millions of requests in seconds using simple code. How to fix Origin Validation Error? Upgrade `org.keycloak:keycloak-services` to version 24.0.3 or higher.	[,24.0.3)
M Authentication Bypass org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Authentication Bypass due to improper enforcement of token types when validating signatures locally. An authenticated attacker could exchange a logout token for an access token and possibly gain access to data outside of enforced permissions. How to fix Authentication Bypass? Upgrade `org.keycloak:keycloak-services` to version 24.0.3 or higher.	[,24.0.3)
H Open Redirect org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Open Redirect due to an issue in the `redirect_uri` validation logic. By exploiting this vulnerability an attacker is allowed to bypass otherwise explicitly allowed hosts. How to fix Open Redirect? Upgrade `org.keycloak:keycloak-services` to version 24.0.3 or higher.	[,24.0.3)
H Cross-site Scripting (XSS) org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to including JavaScript URIs in the SAML Assertion Consumer Service POST Binding URL (ACS). An attacker can execute arbitrary scripts in the context of the embedding origin on form submission. How to fix Cross-site Scripting (XSS)? Upgrade `org.keycloak:keycloak-services` to version 24.0.3 or higher.	[,24.0.3)
M Authorization Bypass Through User-Controlled Key org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key due to a permissive regular expression hardcoded for filtering allowed hosts to register a dynamic client. A unauthorized user with enough information about the environment could benefit and jeopardize an environment with this specific Dynamic Client Registration with `TrustedDomain` configuration. How to fix Authorization Bypass Through User-Controlled Key? Upgrade `org.keycloak:keycloak-services` to version 24.0.3 or higher.	[,24.0.3)
M Missing Critical Step in Authentication org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Missing Critical Step in Authentication in the form of not sufficiently enforcing the second factor in multifactor authentication. A user can register a second factor for a known account, allowing step-up authentication. How to fix Missing Critical Step in Authentication? Upgrade `org.keycloak:keycloak-services` to version 22.0.10, 24.0.3 or higher.	[,22.0.10) [23.0.0,24.0.3)
L Information Exposure org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Information Exposure due to not properly checking client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information. How to fix Information Exposure? Upgrade `org.keycloak:keycloak-services` to version 20.0.3 or higher.	[0,20.0.3)
M Improper Authorization org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Authorization such that the verified state is not reset when the email changes. It is possible for users to shadow others with the same email and lockout or impersonate them. How to fix Improper Authorization? Upgrade `org.keycloak:keycloak-services` to version 22.0.1 or higher.	[,22.0.1)
M Open Redirect org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Open Redirect due to improper validation of redirect URIs using the `form_post.jwt` response mode. An attacker can redirect a user to a malicious site and potentially steal authorization codes or tokens by exploiting the use of a wildcard in the JARM response. How to fix Open Redirect? Upgrade `org.keycloak:keycloak-services` to version 23.0.4 or higher.	[,23.0.4)
M Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) via the `OIDC redirect_uri` function. An attacker can submit a specially crafted request leading to cross-site scripting or further attacks by appending a wildcard to the token. How to fix Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)? Upgrade `org.keycloak:keycloak-services` to version 22.0.7 or higher.	[,22.0.7)
M LDAP Injection org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to LDAP Injection through the `UsernameForm` login process due to improper escape of LDAP ID. An attacker can access existing usernames in the server by exploiting an LDAP query. How to fix LDAP Injection? Upgrade `org.keycloak:keycloak-services` to version 23.0.1 or higher.	[,23.0.1)
M Credential Exposure org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Credential Exposure. When a user registers with the registration flow, the `password` and `password-confirm` fields from the form are treated as regular attributes. All users and clients with proper rights/roles are able to retrieve the user's passwords in cleartext. How to fix Credential Exposure? Upgrade `org.keycloak:keycloak-services` to version 22.0.3 or higher.	[,22.0.3)
H Improper Certificate Validation org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Certificate Validation for OAuth/OpenID clients. When a Keycloak server is configured to support mTLS authentication for OAuth/OpenID clients, it does not properly verify the client certificate chain. A client with a proper certificate can authorize itself as any other client and, therefore, access data belonging to other clients. How to fix Improper Certificate Validation? Upgrade `org.keycloak:keycloak-services` to version 21.1.2 or higher.	[,21.1.2)
M Cross-site Scripting (XSS) org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper sanitization of URI-schemes on SAML and OIDC via the `AssertionConsumerServiceURL` implementation. Exploiting this vulnerability is possible by sending a crafted SAML XML request. How to fix Cross-site Scripting (XSS)? Upgrade `org.keycloak:keycloak-services` to version 21.1.2 or higher.	[,21.1.2)
L Authentication Bypass by Spoofing org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Authentication Bypass by Spoofing within the Keycloak Device Authorisation Grant due to improper verification of the device code holder. Exploiting this vulnerability is possible under certain pre-conditions and it allows an attacker to spoof parts of the device flow and use a `device_code` to retrieve an access token for other OAuth clients. How to fix Authentication Bypass by Spoofing? Upgrade `org.keycloak:keycloak-services` to version 21.1.2 or higher.	[,21.1.2)
H Insufficient Verification of Data Authenticity org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity such that Keycloak's OpenID Connect user authentication was found to incorrectly authenticate requests. An authenticated attacker who could also obtain a certain piece of info from a user request, from a victim within the same realm, can use that data to impersonate the victim and generate new session tokens. How to fix Insufficient Verification of Data Authenticity? Upgrade `org.keycloak:keycloak-services` to version 21.0.1 or higher.	[,21.0.1)
M Cross-site Scripting (XSS) org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper user-input sanitization in the `oob` OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker. How to fix Cross-site Scripting (XSS)? Upgrade `org.keycloak:keycloak-services` to version 21.0.0 or higher.	[,21.0.0)
M Cross-site Scripting (XSS) org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `execute-actions-email` endpoint in the admin REST API. Users can inject HTML into emails sent to other users. How to fix Cross-site Scripting (XSS)? Upgrade `org.keycloak:keycloak-services` to version 20.0.4 or higher.	[,20.0.4)
M Cross-site Scripting (XSS) org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) which allows an admin user impersonating another user to inject code into a submitted HTML entity. How to fix Cross-site Scripting (XSS)? Upgrade `org.keycloak:keycloak-services` to version 20.0.5 or higher.	[0,20.0.5)
C Directory Traversal org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Directory Traversal due to not properly validating URLs included in a redirect. An attacker could construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain, or possibly conduct further attacks. How to fix Directory Traversal? Upgrade `org.keycloak:keycloak-services` to version 20.0.2 or higher.	[0,20.0.2)
M Exposure of Data Element to Wrong Session org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Exposure of Data Element to Wrong Session when using a client with the `offline_access` scope. Reuse of session ids across root and user authentication sessions and a lack of root session validation enabled attackers to resolve a user session attached to a different previously authenticated user. How to fix Exposure of Data Element to Wrong Session? Upgrade `org.keycloak:keycloak-services` to version 20.0.2 or higher.	[0,20.0.2)
M Access Restriction Bypass org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Access Restriction Bypass due to missing authorization. This allows a client application, holding a valid access token, to exchange tokens for any target client, bypassing the `client_id` of the target and allowing a client to gain unauthorized access to additional services. How to fix Access Restriction Bypass? Upgrade `org.keycloak:keycloak-services` to version 18.0.0 or higher.	[,18.0.0)
M Improper Authentication org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Authentication. For each SAML client it is possible to send an `AuthnRequest` message via SOAP with Basic Authorization header and Keycloak will successfully authenticate the user for the client and will not consider the authentication flow applied. The presence of the flow is hidden from the administrator, it is not possible to disable it in the client's configuration similarly as direct grant etc. How to fix Improper Authentication? Upgrade `org.keycloak:keycloak-services` to version 18.0.0 or higher.	[,18.0.0)
M User Impersonation org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to User Impersonation when a malicious user can register himself with a name already registered, and trick admin to grant him extra privileges. How to fix User Impersonation? Upgrade `org.keycloak:keycloak-services` to version 18.0.0 or higher.	[,18.0.0)

Go back to all versions of this package

org.keycloak:keycloak-services@16.1.0 vulnerabilities

latest version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities