org.keycloak:keycloak-core@4.8.0.Final vulnerabilities
-
latest version
24.0.2
-
first published
10 years ago
-
latest version published
25 days ago
-
licenses detected
- [1.0-alpha-1,)
-
package manager
Direct Vulnerabilities
Known vulnerabilities in the org.keycloak:keycloak-core package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.Vulnerability | Vulnerable Version |
---|---|
org.keycloak:keycloak-core is an open source identity and access management solution. Affected versions of this package are vulnerable to Overly Restrictive Account Lockout Mechanism due to a flaw in the account lockout mechanism. This issue may allow a remote unauthenticated attacker to prevent legitimate users from accessing their accounts by exploiting the account lockout functionality. Note: This is only exploitable if the realm is configured to use "User (Self) registration", the user registers with a username in email format, and the attacker discovers a valid email address for an account. How to fix Overly Restrictive Account Lockout Mechanism? There is no fixed version for |
[0,)
|
org.keycloak:keycloak-core is an open source identity and access management solution. Affected versions of this package are vulnerable to Improper Certificate Validation due to allowing unintended access of an untrusted certificate when using How to fix Improper Certificate Validation? Upgrade |
[0,21.1.2)
|
org.keycloak:keycloak-core is an open source identity and access management solution. Affected versions of this package are vulnerable to Improper Input Validation where an attacker is able to register himself with the username same as the email ID of any existing user. This may cause trouble in getting password recovery email in case the user forgets the password. How to fix Improper Input Validation? There is no fixed version for |
[0,)
|
org.keycloak:keycloak-core is an open source identity and access management solution. Affected versions of this package are vulnerable to Improper Authorization and as a result, How to fix Improper Authorization? Upgrade |
[,17.0.1)
|
org.keycloak:keycloak-core is an open source identity and access management solution. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via POST http requests, due to improper escaping. How to fix Cross-site Scripting (XSS)? Upgrade |
[,17.0.0)
|
org.keycloak:keycloak-core is an open source identity and access management solution. Affected versions of this package are vulnerable to Cross-site Scripting (XSS). Reflected XSS attack with referrer in new account console. The new account console in keycloak can allow malicious code to be executed using the referrer URL. How to fix Cross-site Scripting (XSS)? Upgrade |
[,13.0.0)
|
org.keycloak:keycloak-core is an open source identity and access management solution. Affected versions of this package are vulnerable to Cross-site Scripting (XSS). The Account console allows stored self-XSS via impersonation mechanism. A Self Stored XSS attack vector escalating to a complete account takeover is possible due to user-supplied data fields not being properly encoded and Javascript code being used to process the data. How to fix Cross-site Scripting (XSS)? Upgrade |
[,13.0.0)
|
org.keycloak:keycloak-core is an open source identity and access management solution. Affected versions of this package are vulnerable to Improper Access Control. A user still has access to a resource after changing the role mappings in Keycloak and after expiration of the previous access token. How to fix Improper Access Control? Upgrade |
[0,13.0.0)
|
org.keycloak:keycloak-core is an open source identity and access management solution. Affected versions of this package are vulnerable to Information Disclosure. The operator generates a random admin password when installing Keycloak, however the password remains the same when deployed to the same OpenShift namespace. How to fix Information Disclosure? Upgrade |
[,8.0.2)
|
org.keycloak:keycloak-core is an open source identity and access management solution. Affected versions of this package are vulnerable to Clickjacking. Tthe pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses. This does not directly lead to a security issue, yet it might aid attackers in their efforts to exploit other problems. The flaws unnecessarily make the servers more prone to Clickjacking, channel downgrade attacks and other similar client-based attack vectors. How to fix Clickjacking? Upgrade |
[,10.0.0)
|
org.keycloak:keycloak-core is an open source identity and access management solution. Affected versions of this package are vulnerable to Information Exposure. It was found that keycloak exposes internal adapter endpoints in How to fix Information Exposure? Upgrade |
[0,8.0.0)
|
org.keycloak:keycloak-core is an open source identity and access management solution. Affected versions of this package are vulnerable to Information Exposure. Keycloak allows the end user token (access or id token JWT) to be used as the session cookie for browser sessions for OIDC. As a result an attacker with access to service provider backend could hijack user's browser session. How to fix Information Exposure? Upgrade |
[,6.0.1)
|