org.keycloak:keycloak-services@16.1.0 vulnerabilities

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Input Validation due to improper handling of error messages during the WebAuthn authentication or registration process. An attacker can inject malicious content into the logs by sending crafted error messages from the browser client during setup or authentication.

Upgrade org.keycloak:keycloak-services to version 23.0.5 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Origin Validation Error due to the checkLoginIframe process. An attacker can significantly impact the application's availability by sending millions of requests in seconds using simple code.

Upgrade org.keycloak:keycloak-services to version 24.0.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Authentication Bypass due to improper enforcement of token types when validating signatures locally. An authenticated attacker could exchange a logout token for an access token and possibly gain access to data outside of enforced permissions.

Upgrade org.keycloak:keycloak-services to version 24.0.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Open Redirect due to an issue in the redirect_uri validation logic. By exploiting this vulnerability an attacker is allowed to bypass otherwise explicitly allowed hosts.

Upgrade org.keycloak:keycloak-services to version 24.0.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to including JavaScript URIs in the SAML Assertion Consumer Service POST Binding URL (ACS). An attacker can execute arbitrary scripts in the context of the embedding origin on form submission.

Upgrade org.keycloak:keycloak-services to version 24.0.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key due to a permissive regular expression hardcoded for filtering allowed hosts to register a dynamic client. A unauthorized user with enough information about the environment could benefit and jeopardize an environment with this specific Dynamic Client Registration with TrustedDomain configuration.

Upgrade org.keycloak:keycloak-services to version 24.0.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Missing Critical Step in Authentication in the form of not sufficiently enforcing the second factor in multifactor authentication. A user can register a second factor for a known account, allowing step-up authentication.

Upgrade org.keycloak:keycloak-services to version 24.0.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Information Exposure due to not properly checking client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information.

Upgrade org.keycloak:keycloak-services to version 20.0.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Authorization such that the verified state is not reset when the email changes. It is possible for users to shadow others with the same email and lockout or impersonate them.

Upgrade org.keycloak:keycloak-services to version 22.0.1 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Open Redirect due to improper validation of redirect URIs using the form_post.jwt response mode. An attacker can redirect a user to a malicious site and potentially steal authorization codes or tokens by exploiting the use of a wildcard in the JARM response.

Upgrade org.keycloak:keycloak-services to version 23.0.4 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) via the OIDC redirect_uri function. An attacker can submit a specially crafted request leading to cross-site scripting or further attacks by appending a wildcard to the token.

Upgrade org.keycloak:keycloak-services to version 22.0.7 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to LDAP Injection through the UsernameForm login process due to improper escape of LDAP ID. An attacker can access existing usernames in the server by exploiting an LDAP query.

Upgrade org.keycloak:keycloak-services to version 23.0.1 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Credential Exposure. When a user registers with the registration flow, the password and password-confirm fields from the form are treated as regular attributes. All users and clients with proper rights/roles are able to retrieve the user's passwords in cleartext.

Upgrade org.keycloak:keycloak-services to version 22.0.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Certificate Validation for OAuth/OpenID clients. When a Keycloak server is configured to support mTLS authentication for OAuth/OpenID clients, it does not properly verify the client certificate chain. A client with a proper certificate can authorize itself as any other client and, therefore, access data belonging to other clients.

Upgrade org.keycloak:keycloak-services to version 21.1.2 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper sanitization of URI-schemes on SAML and OIDC via the AssertionConsumerServiceURL implementation. Exploiting this vulnerability is possible by sending a crafted SAML XML request.

Upgrade org.keycloak:keycloak-services to version 21.1.2 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Authentication Bypass by Spoofing within the Keycloak Device Authorisation Grant due to improper verification of the device code holder. Exploiting this vulnerability is possible under certain pre-conditions and it allows an attacker to spoof parts of the device flow and use a device_code to retrieve an access token for other OAuth clients.

Upgrade org.keycloak:keycloak-services to version 21.1.2 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity such that Keycloak's OpenID Connect user authentication was found to incorrectly authenticate requests. An authenticated attacker who could also obtain a certain piece of info from a user request, from a victim within the same realm, can use that data to impersonate the victim and generate new session tokens.

Upgrade org.keycloak:keycloak-services to version 21.0.1 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper user-input sanitization in the oob OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker.

Upgrade org.keycloak:keycloak-services to version 21.0.0 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the execute-actions-email endpoint in the admin REST API. Users can inject HTML into emails sent to other users.

Upgrade org.keycloak:keycloak-services to version 20.0.4 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) which allows an admin user impersonating another user to inject code into a submitted HTML entity.

Upgrade org.keycloak:keycloak-services to version 20.0.5 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Directory Traversal due to not properly validating URLs included in a redirect. An attacker could construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain, or possibly conduct further attacks.

Upgrade org.keycloak:keycloak-services to version 20.0.2 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Exposure of Data Element to Wrong Session when using a client with the offline_access scope. Reuse of session ids across root and user authentication sessions and a lack of root session validation enabled attackers to resolve a user session attached to a different previously authenticated user.

Upgrade org.keycloak:keycloak-services to version 20.0.2 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Access Restriction Bypass due to missing authorization. This allows a client application, holding a valid access token, to exchange tokens for any target client, bypassing the client_id of the target and allowing a client to gain unauthorized access to additional services.

Upgrade org.keycloak:keycloak-services to version 18.0.0 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Authentication. For each SAML client it is possible to send an AuthnRequest message via SOAP with Basic Authorization header and Keycloak will successfully authenticate the user for the client and will not consider the authentication flow applied. The presence of the flow is hidden from the administrator, it is not possible to disable it in the client's configuration similarly as direct grant etc.

Upgrade org.keycloak:keycloak-services to version 18.0.0 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to User Impersonation when a malicious user can register himself with a name already registered, and trick admin to grant him extra privileges.

Upgrade org.keycloak:keycloak-services to version 18.0.0 or higher.