org.keycloak:keycloak-authz-client 5.0.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.keycloak:keycloak-authz-client package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Exposure of Sensitive Information Through Environmental Variables org.keycloak:keycloak-authz-client is a client API for Keycloak Authz. Affected versions of this package are vulnerable to Exposure of Sensitive Information Through Environmental Variables through user-configurable URLs. Exploiting this vulnerability is possible with the configuration of backchannel logout URLs or admin URLs, when including placeholders like `${env.VARNAME}` or `${PROPNAME}`, which are replaced with actual values during URL processing. An attacker can access sensitive server environment variables and system properties. How to fix Exposure of Sensitive Information Through Environmental Variables? Upgrade `org.keycloak:keycloak-authz-client` to version 26.0.8 or higher.	[0,26.0.8)
M Remote Code Execution (RCE) org.keycloak:keycloak-authz-client is a client API for Keycloak Authz. Affected versions of this package are vulnerable to Remote Code Execution (RCE). A flaw was found in Keycloak’s user-managed access interface, where it would permit a script to be set in the UMA policy. This flaw allows an authenticated attacker with UMA permissions to configure a malicious script to trigger and execute arbitrary code with the permissions of the user running application. How to fix Remote Code Execution (RCE)? Upgrade `org.keycloak:keycloak-authz-client` to version 8.0.0 or higher.	[,8.0.0)
M Information Exposure org.keycloak:keycloak-authz-client is the client API for Keycloak Authz. Affected versions of this package are vulnerable to Information Exposure. A flaw was found in keycloak where a logged exception in the `HttpMethod` class may leak the password given as parameter. How to fix Information Exposure? Upgrade `org.keycloak:keycloak-authz-client` to version 9.0.0 or higher.	[,9.0.0)

Vulnerability

Vulnerable Version

Exposure of Sensitive Information Through Environmental Variables

org.keycloak:keycloak-authz-client is a client API for Keycloak Authz.

Affected versions of this package are vulnerable to Exposure of Sensitive Information Through Environmental Variables through user-configurable URLs.

Exploiting this vulnerability is possible with the configuration of backchannel logout URLs or admin URLs, when including placeholders like ${env.VARNAME} or ${PROPNAME}, which are replaced with actual values during URL processing. An attacker can access sensitive server environment variables and system properties.

How to fix Exposure of Sensitive Information Through Environmental Variables?

Upgrade org.keycloak:keycloak-authz-client to version 26.0.8 or higher.

[0,26.0.8)

Remote Code Execution (RCE)

org.keycloak:keycloak-authz-client is a client API for Keycloak Authz.

Affected versions of this package are vulnerable to Remote Code Execution (RCE). A flaw was found in Keycloak’s user-managed access interface, where it would permit a script to be set in the UMA policy. This flaw allows an authenticated attacker with UMA permissions to configure a malicious script to trigger and execute arbitrary code with the permissions of the user running application.

How to fix Remote Code Execution (RCE)?

Upgrade org.keycloak:keycloak-authz-client to version 8.0.0 or higher.

[,8.0.0)

Information Exposure

org.keycloak:keycloak-authz-client is the client API for Keycloak Authz.

Affected versions of this package are vulnerable to Information Exposure. A flaw was found in keycloak where a logged exception in the HttpMethod class may leak the password given as parameter.

How to fix Information Exposure?

Upgrade org.keycloak:keycloak-authz-client to version 9.0.0 or higher.

[,9.0.0)

org.keycloak:keycloak-authz-client@5.0.0 vulnerabilities

latest version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?