org.keycloak:keycloak-services 21.0.1 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.keycloak:keycloak-services package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M External Control of File Name or Path org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to External Control of File Name or Path due to the vault secret lookup not accounting for the Windows file separator `\` on Windows systems. An attacker can access information about the existence of files outside the intended context by submitting specially crafted requests. Note: This issue stems from incomplete fix for CVE-2024-10492. How to fix External Control of File Name or Path? There is no fixed version for `org.keycloak:keycloak-services`.	[0,)
M Exposure of Sensitive System Information to an Unauthorized Control Sphere org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere via the `/admin/serverinfo` endpoint, which exposes internal server details, when an authenticated user logs into the system or accesses the admin console. Note: Direct access to this endpoint returns a 401 Unauthorized error. How to fix Exposure of Sensitive System Information to an Unauthorized Control Sphere? There is no fixed version for `org.keycloak:keycloak-services`.	[0,)
L Improper Privilege Management org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Privilege Management via improper privilege enforcement in the Fine-Grained Admin Permissions process. An attacker can gain unauthorized administrative access by leveraging a user account with the `manage-users` role to escalate privileges to realm-admin. This is because policies and permissions share the same table internally. Note: It is recommended to use a unique name for the permission; The name must not conflict with any policy name. How to fix Improper Privilege Management? There is no fixed version for `org.keycloak:keycloak-services`.	[0,)

Vulnerability

Vulnerable Version

External Control of File Name or Path

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to External Control of File Name or Path due to the vault secret lookup not accounting for the Windows file separator \ on Windows systems. An attacker can access information about the existence of files outside the intended context by submitting specially crafted requests.

Note:

This issue stems from incomplete fix for CVE-2024-10492.

How to fix External Control of File Name or Path?

There is no fixed version for org.keycloak:keycloak-services.

[0,)

Exposure of Sensitive System Information to an Unauthorized Control Sphere

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere via the /admin/serverinfo endpoint, which exposes internal server details, when an authenticated user logs into the system or accesses the admin console.

Note: Direct access to this endpoint returns a 401 Unauthorized error.

How to fix Exposure of Sensitive System Information to an Unauthorized Control Sphere?

There is no fixed version for org.keycloak:keycloak-services.

[0,)

Improper Privilege Management

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Privilege Management via improper privilege enforcement in the Fine-Grained Admin Permissions process. An attacker can gain unauthorized administrative access by leveraging a user account with the manage-users role to escalate privileges to realm-admin. This is because policies and permissions share the same table internally.

Note: It is recommended to use a unique name for the permission; The name must not conflict with any policy name.

How to fix Improper Privilege Management?

There is no fixed version for org.keycloak:keycloak-services.

[0,)

org.keycloak:keycloak-services@21.0.1 vulnerabilities

latest version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

How to fix?