org.keycloak:keycloak-server-spi-private 26.2.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.keycloak:keycloak-server-spi-private package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M CRLF Injection org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to CRLF Injection during the e-mail registration. An attacker can cause the system to send unsolicited emails limited to 64 characters by injecting special characters into the email input field. How to fix CRLF Injection? Upgrade `org.keycloak:keycloak-server-spi-private` to version 26.3.3 or higher.	[,26.3.3)
M Origin Validation Error org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Origin Validation Error via the `review profile` process. An attacker can gain unauthorized access to another user's account by initiating an account merge during an identity provider login and modifying their email address to match the victim's, which results in a verification email being sent to the victim. If the victim clicks the verification link, the attacker is able to access the victim's account. Note: This is only exploitable if IdP is configured in Keycloak and the attacker has access both to a registered Keycloak and identity provider account. Additionally, an attacker would need to know the email or Keycloak username of the victim. Finally, the victim would need to accept the verification link within the 5 minutes that the token is active. How to fix Origin Validation Error? Upgrade `org.keycloak:keycloak-server-spi-private` to version 26.3.0 or higher.	[,26.3.0)

Vulnerability

Vulnerable Version

CRLF Injection

org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to CRLF Injection during the e-mail registration. An attacker can cause the system to send unsolicited emails limited to 64 characters by injecting special characters into the email input field.

How to fix CRLF Injection?

Upgrade org.keycloak:keycloak-server-spi-private to version 26.3.3 or higher.

[,26.3.3)

Origin Validation Error

org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Origin Validation Error via the review profile process. An attacker can gain unauthorized access to another user's account by initiating an account merge during an identity provider login and modifying their email address to match the victim's, which results in a verification email being sent to the victim. If the victim clicks the verification link, the attacker is able to access the victim's account.

Note:

This is only exploitable if IdP is configured in Keycloak and the attacker has access both to a registered Keycloak and identity provider account. Additionally, an attacker would need to know the email or Keycloak username of the victim. Finally, the victim would need to accept the verification link within the 5 minutes that the token is active.

How to fix Origin Validation Error?

Upgrade org.keycloak:keycloak-server-spi-private to version 26.3.0 or higher.

[,26.3.0)

org.keycloak:keycloak-server-spi-private@26.2.0 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically