org.keycloak:keycloak-core@3.4.0.Final vulnerabilities

  • latest version

    26.0.7

  • latest non vulnerable version

  • first published

    11 years ago

  • latest version published

    20 days ago

  • licenses detected

  • package manager

  • Direct Vulnerabilities

    Known vulnerabilities in the org.keycloak:keycloak-core package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Use of a Key Past its Expiration Date

    org.keycloak:keycloak-core is an open source identity and access management solution.

    Affected versions of this package are vulnerable to Use of a Key Past its Expiration Date due to the extended validation period of OTP codes. An attacker can gain unauthorized access by using expired OTP codes that should no longer be valid.

    How to fix Use of a Key Past its Expiration Date?

    Upgrade org.keycloak:keycloak-core to version 24.0.7, 25.0.4 or higher.

    [,24.0.7)[25.0.0,25.0.4)
    • H
    Improper Handling of Extra Values

    org.keycloak:keycloak-core is an open source identity and access management solution.

    Affected versions of this package are vulnerable to Improper Handling of Extra Values due to the lack of limitation on the number of attributes per object. An attacker can cause resource exhaustion by sending repeated HTTP requests that result in the application sending back rows with long attribute values.

    How to fix Improper Handling of Extra Values?

    Upgrade org.keycloak:keycloak-core to version 24.0.0 or higher.

    [0,24.0.0)
    • M
    Unprotected Transport of Credentials

    org.keycloak:keycloak-core is an open source identity and access management solution.

    Affected versions of this package are vulnerable to Unprotected Transport of Credentials for the LDAP testing endpoint, which allows the modification of the Connection URL without entering the LDAP bind credentials. An attacker with manage-realm permission can redirect the LDAP host to an arbitrary URL.

    How to fix Unprotected Transport of Credentials?

    Upgrade org.keycloak:keycloak-core to version 24.0.6, 25.0.1 or higher.

    [,24.0.6)[25.0.0,25.0.1)
    • M
    Improper Certificate Validation

    org.keycloak:keycloak-core is an open source identity and access management solution.

    Affected versions of this package are vulnerable to Improper Certificate Validation due to allowing unintended access of an untrusted certificate when using Revalidate Client Certificate and when KC_SPI_TRUSTSTORE_FILE_FILE is misconfigured.

    How to fix Improper Certificate Validation?

    Upgrade org.keycloak:keycloak-core to version 21.1.2 or higher.

    [0,21.1.2)
    • H
    Improper Authorization

    org.keycloak:keycloak-core is an open source identity and access management solution.

    Affected versions of this package are vulnerable to Improper Authorization and as a result, Red Hat Single Sign-On, a project based on keycloak, is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted.

    How to fix Improper Authorization?

    Upgrade org.keycloak:keycloak-core to version 17.0.1 or higher.

    [,17.0.1)
    • M
    Cross-site Scripting (XSS)

    org.keycloak:keycloak-core is an open source identity and access management solution.

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via POST http requests, due to improper escaping.

    How to fix Cross-site Scripting (XSS)?

    Upgrade org.keycloak:keycloak-core to version 17.0.0 or higher.

    [,17.0.0)
    • H
    Cross-site Scripting (XSS)

    org.keycloak:keycloak-core is an open source identity and access management solution.

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS). The Account console allows stored self-XSS via impersonation mechanism. A Self Stored XSS attack vector escalating to a complete account takeover is possible due to user-supplied data fields not being properly encoded and Javascript code being used to process the data.

    How to fix Cross-site Scripting (XSS)?

    Upgrade org.keycloak:keycloak-core to version 13.0.0 or higher.

    [,13.0.0)
    • H
    Cross-site Scripting (XSS)

    org.keycloak:keycloak-core is an open source identity and access management solution.

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS). Reflected XSS attack with referrer in new account console. The new account console in keycloak can allow malicious code to be executed using the referrer URL.

    How to fix Cross-site Scripting (XSS)?

    Upgrade org.keycloak:keycloak-core to version 13.0.0 or higher.

    [,13.0.0)
    • M
    Improper Access Control

    org.keycloak:keycloak-core is an open source identity and access management solution.

    Affected versions of this package are vulnerable to Improper Access Control. A user still has access to a resource after changing the role mappings in Keycloak and after expiration of the previous access token.

    How to fix Improper Access Control?

    Upgrade org.keycloak:keycloak-core to version 13.0.0 or higher.

    [0,13.0.0)
    • C
    Information Disclosure

    org.keycloak:keycloak-core is an open source identity and access management solution.

    Affected versions of this package are vulnerable to Information Disclosure. The operator generates a random admin password when installing Keycloak, however the password remains the same when deployed to the same OpenShift namespace.

    How to fix Information Disclosure?

    Upgrade org.keycloak:keycloak-core to version 8.0.2 or higher.

    [,8.0.2)
    • L
    Clickjacking

    org.keycloak:keycloak-core is an open source identity and access management solution.

    Affected versions of this package are vulnerable to Clickjacking. Tthe pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses.

    This does not directly lead to a security issue, yet it might aid attackers in their efforts to exploit other problems. The flaws unnecessarily make the servers more prone to Clickjacking, channel downgrade attacks and other similar client-based attack vectors.

    How to fix Clickjacking?

    Upgrade org.keycloak:keycloak-core to version 10.0.0 or higher.

    [,10.0.0)
    • M
    Information Exposure

    org.keycloak:keycloak-core is an open source identity and access management solution.

    Affected versions of this package are vulnerable to Information Exposure. It was found that keycloak exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be invoked via a specially-crafted URL. This vulnerability could allow an attacker to access unauthorized information.

    How to fix Information Exposure?

    Upgrade org.keycloak:keycloak-core to version 8.0.0 or higher.

    [0,8.0.0)
    • L
    Information Exposure

    org.keycloak:keycloak-core is an open source identity and access management solution.

    Affected versions of this package are vulnerable to Information Exposure. Keycloak allows the end user token (access or id token JWT) to be used as the session cookie for browser sessions for OIDC. As a result an attacker with access to service provider backend could hijack user's browser session.

    How to fix Information Exposure?

    Upgrade org.keycloak:keycloak-core to version 6.0.1 or higher.

    [,6.0.1)
    • H
    URL Spoofing

    org.keycloak:keycloak-core is an open Source Identity and Access Management for modern Applications and Services.

    Affected versions of this package are vulnerable to URL Spoofing. An attacker could use this flaw to craft a malicious password reset request and gain a valid reset token, leading to information disclosure or further attacks.

    Note: CVE-2017-1000500 is a duplicate of CVE-2017-12161.

    How to fix URL Spoofing?

    Upgrade org.keycloak:keycloak-core to version 3.4.2 or higher.

    [,3.4.2.Final)