org.keycloak:keycloak-model-jpa 8.0.2 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.keycloak:keycloak-model-jpa package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Exposure of Sensitive Information Through Environmental Variables org.keycloak:keycloak-model-jpa is an Identity and Access Management module for Keycloak JPA. Affected versions of this package are vulnerable to Exposure of Sensitive Information Through Environmental Variables through user-configurable URLs. Exploiting this vulnerability is possible with the configuration of backchannel logout URLs or admin URLs, when including placeholders like `${env.VARNAME}` or `${PROPNAME}`, which are replaced with actual values during URL processing. An attacker can access sensitive server environment variables and system properties. How to fix Exposure of Sensitive Information Through Environmental Variables? Upgrade `org.keycloak:keycloak-model-jpa` to version 26.0.8 or higher.	[,26.0.8)
H Allocation of Resources Without Limits or Throttling org.keycloak:keycloak-model-jpa is an Identity and Access Management module for Keycloak JPA. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to an unconstrained memory consumption issue when the `consents` tab of the admin User Interface is accessed. An attacker can cause excessive memory and CPU consumption, potentially crashing the system by creating multiple user sessions and opening the `consents` tab, which attempts to load a large number of offline client sessions. Note: This is only exploitable if the environment has millions of offline tokens (more than 500,000 users with each having at least 2 saved sessions). How to fix Allocation of Resources Without Limits or Throttling? Upgrade `org.keycloak:keycloak-model-jpa` to version 21.0.0 or higher.	[,21.0.0)
M Improper Authorization org.keycloak:keycloak-model-jpa is an Identity and Access Management module for Keycloak JPA. Affected versions of this package are vulnerable to Improper Authorization. A community-only flaw was found in Keycloak, where a malicious user registers as oneself. The attacker could then use the remove devices form to post different credential IDs and possibly remove MFA devices for other users. How to fix Improper Authorization? Upgrade `org.keycloak:keycloak-model-jpa` to version 9.0.2 or higher.	[,9.0.2)

Vulnerability

Vulnerable Version

Exposure of Sensitive Information Through Environmental Variables

org.keycloak:keycloak-model-jpa is an Identity and Access Management module for Keycloak JPA.

Affected versions of this package are vulnerable to Exposure of Sensitive Information Through Environmental Variables through user-configurable URLs.

Exploiting this vulnerability is possible with the configuration of backchannel logout URLs or admin URLs, when including placeholders like ${env.VARNAME} or ${PROPNAME}, which are replaced with actual values during URL processing. An attacker can access sensitive server environment variables and system properties.

How to fix Exposure of Sensitive Information Through Environmental Variables?

Upgrade org.keycloak:keycloak-model-jpa to version 26.0.8 or higher.

[,26.0.8)

Allocation of Resources Without Limits or Throttling

org.keycloak:keycloak-model-jpa is an Identity and Access Management module for Keycloak JPA.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to an unconstrained memory consumption issue when the consents tab of the admin User Interface is accessed. An attacker can cause excessive memory and CPU consumption, potentially crashing the system by creating multiple user sessions and opening the consents tab, which attempts to load a large number of offline client sessions.

Note:

This is only exploitable if the environment has millions of offline tokens (more than 500,000 users with each having at least 2 saved sessions).

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade org.keycloak:keycloak-model-jpa to version 21.0.0 or higher.

[,21.0.0)

Improper Authorization

org.keycloak:keycloak-model-jpa is an Identity and Access Management module for Keycloak JPA.

Affected versions of this package are vulnerable to Improper Authorization. A community-only flaw was found in Keycloak, where a malicious user registers as oneself. The attacker could then use the remove devices form to post different credential IDs and possibly remove MFA devices for other users.

How to fix Improper Authorization?

Upgrade org.keycloak:keycloak-model-jpa to version 9.0.2 or higher.

[,9.0.2)

org.keycloak:keycloak-model-jpa@8.0.2 vulnerabilities

latest version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?