org.keycloak:keycloak-services@1.0-alpha-3 vulnerabilities
-
latest version
26.0.5
-
latest non vulnerable version
-
first published
11 years ago
-
latest version published
21 days ago
-
licenses detected
- [1.0-alpha-1,)
-
package manager
Direct Vulnerabilities
Known vulnerabilities in the org.keycloak:keycloak-services package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.| Vulnerability | Vulnerable Version |
|---|---|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Open Redirect due to a misconfiguration flaw in the validation of redirect URIs. An attacker can redirect users to an arbitrary URL and potentially expose sensitive information such as authorization codes, leading to session hijacking. Exploiting this vulnerability is possible if a How to fix Open Redirect? Upgrade |
[,22.0.13)
[24.0.0,24.0.8)
[25.0.0,25.0.6)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to URL Redirection to Untrusted Site ('Open Redirect') due to a misconfiguration flaw in the validation of redirect URIs. An attacker can redirect users to an arbitrary URL and potentially expose sensitive information such as authorization codes, leading to session hijacking. Note:
This is only exploitable if a 'Valid Redirect URI' is set to How to fix URL Redirection to Untrusted Site ('Open Redirect')? Upgrade |
[,22.0.13)
[23.0.0,24.0.8)
[25.0.0,25.0.6)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Open Redirect via the How to fix Open Redirect? Upgrade |
[,25.0.0)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Enforcement of a Single, Unique Action allowing an attacker to bypass brute force protection mechanisms by initiating multiple login requests simultaneously, thus exceeding the configured limits for failed attempts, before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems. Note: This is only exploitable if Keycloak is configured with Brute Force Protection. How to fix Improper Enforcement of a Single, Unique Action? Upgrade |
[,24.0.3)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Authentication due to improper handling of session management during the re-authentication process. An attacker can hijack an active session by exploiting the flawed re-authentication mechanism. How to fix Improper Authentication? Upgrade |
[,22.0.10)
[23.0.0,24.0.3)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Missing Standardized Error Handling Mechanism which could enable information exposure by brute force attacks comparing the error messages returned for disabled accounts with those of nonexistent accounts. How to fix Missing Standardized Error Handling Mechanism? Upgrade |
[,1.9.1.Final)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Overly Restrictive Account Lockout Mechanism due to a flaw in the account lockout mechanism. This issue may allow a remote unauthenticated attacker to prevent legitimate users from accessing their accounts by exploiting the account lockout functionality. Note: This is only exploitable if the realm is configured to use "User (Self) registration", the user registers with a username in email format, and the attacker discovers a valid email address for an account. How to fix Overly Restrictive Account Lockout Mechanism? Upgrade |
[,24.0.0)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation where an attacker is able to register himself with the username same as the email ID of any existing user. This may cause trouble in getting password recovery email in case the user forgets the password. How to fix Always-Incorrect Control Flow Implementation? Upgrade |
[,24.0.0)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Privilege Management via the admin REST API endpoints. An attacker with low privileges can perform actions reserved for administrators, potentially leading to data breaches or system compromise by exploiting administrative functionalities without proper authorization. How to fix Improper Privilege Management? Upgrade |
[,24.0.5)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Insecure Storage of Sensitive Information through PAR (Pushed authorization request) clients when using To exploit this vulnerability, an attacker needs to intercept the HTTP response from the authorization server, which might result in the disclosure of sensitive information. Note If you use OIDC confidential clients together with PAR and use client authentication based on How to fix Insecure Storage of Sensitive Information? Upgrade |
[,24.0.5)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Input Validation due to improper handling of error messages during the How to fix Improper Input Validation? Upgrade |
[,23.0.5)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Origin Validation Error due to the How to fix Origin Validation Error? Upgrade |
[,24.0.3)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Authentication Bypass due to improper enforcement of token types when validating signatures locally. An authenticated attacker could exchange a logout token for an access token and possibly gain access to data outside of enforced permissions. How to fix Authentication Bypass? Upgrade |
[,24.0.3)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Open Redirect due to an issue in the How to fix Open Redirect? Upgrade |
[,24.0.3)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to including JavaScript URIs in the SAML Assertion Consumer Service POST Binding URL (ACS). An attacker can execute arbitrary scripts in the context of the embedding origin on form submission. How to fix Cross-site Scripting (XSS)? Upgrade |
[,24.0.3)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key due to a permissive regular expression hardcoded for filtering allowed hosts to register a dynamic client. A unauthorized user with enough information about the environment could benefit and jeopardize an environment with this specific Dynamic Client Registration with How to fix Authorization Bypass Through User-Controlled Key? Upgrade |
[,24.0.3)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Missing Critical Step in Authentication in the form of not sufficiently enforcing the second factor in multifactor authentication. A user can register a second factor for a known account, allowing step-up authentication. How to fix Missing Critical Step in Authentication? Upgrade |
[,22.0.10)
[23.0.0,24.0.3)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Information Exposure due to not properly checking client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information. How to fix Information Exposure? Upgrade |
[0,20.0.3)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Authorization such that the verified state is not reset when the email changes. It is possible for users to shadow others with the same email and lockout or impersonate them. How to fix Improper Authorization? Upgrade |
[,22.0.1)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Open Redirect due to improper validation of redirect URIs using the How to fix Open Redirect? Upgrade |
[,23.0.4)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) via the How to fix Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)? Upgrade |
[,22.0.7)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to LDAP Injection through the How to fix LDAP Injection? Upgrade |
[,23.0.1)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Credential Exposure. When a user registers with the registration flow, the How to fix Credential Exposure? Upgrade |
[,22.0.3)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Certificate Validation for OAuth/OpenID clients. When a Keycloak server is configured to support mTLS authentication for OAuth/OpenID clients, it does not properly verify the client certificate chain. A client with a proper certificate can authorize itself as any other client and, therefore, access data belonging to other clients. How to fix Improper Certificate Validation? Upgrade |
[,21.1.2)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper sanitization of URI-schemes on SAML and OIDC via the How to fix Cross-site Scripting (XSS)? Upgrade |
[,21.1.2)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Authentication Bypass by Spoofing within the Keycloak Device Authorisation Grant due to improper verification of the device code holder.
Exploiting this vulnerability is possible under certain pre-conditions and it allows an attacker to spoof parts of the device flow and use a How to fix Authentication Bypass by Spoofing? Upgrade |
[,21.1.2)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity such that Keycloak's OpenID Connect user authentication was found to incorrectly authenticate requests. An authenticated attacker who could also obtain a certain piece of info from a user request, from a victim within the same realm, can use that data to impersonate the victim and generate new session tokens. How to fix Insufficient Verification of Data Authenticity? Upgrade |
[,21.0.1)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper user-input sanitization in the How to fix Cross-site Scripting (XSS)? Upgrade |
[,21.0.0)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the How to fix Cross-site Scripting (XSS)? Upgrade |
[,20.0.4)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) which allows an admin user impersonating another user to inject code into a submitted HTML entity. How to fix Cross-site Scripting (XSS)? Upgrade |
[0,20.0.5)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Directory Traversal due to not properly validating URLs included in a redirect. An attacker could construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain, or possibly conduct further attacks. How to fix Directory Traversal? Upgrade |
[0,20.0.2)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Exposure of Data Element to Wrong Session when using a client with the How to fix Exposure of Data Element to Wrong Session? Upgrade |
[0,20.0.2)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Access Restriction Bypass due to missing authorization. This allows a client application, holding a valid access token, to exchange tokens for any target client, bypassing the How to fix Access Restriction Bypass? Upgrade |
[,18.0.0)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Information Exposure. When a malicious actor causes an account lockdown by brute-forcing the credentials, they may then continue to attempt to log-in, and will be notified that the account is locked when the input password is correct. How to fix Information Exposure? Upgrade |
[0,13.0.0)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Authentication due to a flaw in the reset credentials flow, which allows an attacker to gain unauthorized access to the application. How to fix Improper Authentication? Upgrade |
[,8.0.0)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Directory Traversal due to missing sanitization in How to fix Directory Traversal? Upgrade |
[0,15.1.0)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Authentication. For each SAML client it is possible to send an How to fix Improper Authentication? Upgrade |
[,18.0.0)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Authentication. Anyone can register a new device for an account when there is no device registered for passwordless login. How to fix Improper Authentication? Upgrade |
[0,15.1.0)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Insecure Permissions. A flaw was found in Keycloak where it is possible to update the user's metadata attributes using Account REST API. This flaw allows an attacker to change its own NameID attribute to impersonate the admin user for any particular application. How to fix Insecure Permissions? Upgrade |
[,12.0.0)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Insecure Temporary File. A flaw was found in keycloak. Directories can be created prior to the Java process creating them in the temporary directory, but with wider user permissions, allowing the attacker to have access to the contents that keycloak stores in this directory. The highest threat from this vulnerability is to data confidentiality and integrity. How to fix Insecure Temporary File? Upgrade |
[,13.0.0)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Access Control. Keycloak may fail to logout user session if the logout request comes from an external SAML identity provider and Principal Type is set to Attribute Name. How to fix Improper Access Control? Upgrade |
[,14.0.0)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Information Exposure. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. How to fix Information Exposure? Upgrade |
[,13.0.0)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to User Impersonation when a malicious user can register himself with a name already registered, and trick admin to grant him extra privileges. How to fix User Impersonation? Upgrade |
[,18.0.0)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Input Validation. Depending on the webserver configuration, a malicious user can supply an expired certificate and it would be accepted by Keycloak direct-grant authenticator. This is because Keycloak does not trigger the appropriate timestamp validation. How to fix Improper Input Validation? Upgrade |
[,9.0.0)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via How to fix Cross-site Scripting (XSS)? Upgrade |
[0,12.0.0)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF) via How to fix Server-Side Request Forgery (SSRF)? Upgrade |
[,12.0.2)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Directory Traversal while using URL-encoded path segments in the request. It is possible because the resources endpoint applies a transformation of the url path to the file path. Only few specific folder hierarchies can be exposed by this flaw How to fix Directory Traversal? Upgrade |
[0,11.0.3)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Input Validation. There is a missing input validation in IDP authorization URLs. How to fix Improper Input Validation? Upgrade |
[,9.0.2)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Certificate Validation. It does not perform TLS hostname verification when sending emails via an SMTP server which could result in information disclosure. How to fix Improper Certificate Validation? Upgrade |
[,10.0.0)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Information Disclosure. It allows a malicious user that is currently logged in, to see the personal information of a previously logged out user in the account manager section. How to fix Information Disclosure? Upgrade |
[,9.0.2)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Code Injection. A flaw was found in the Keycloak admin console, where the realm management interface permits a script to be set via the policy. This flaw allows an attacker with authenticated user and realm management permissions to configure a malicious script to trigger and execute arbitrary code with the permissions of the application user. How to fix Code Injection? Upgrade |
[,8.0.0)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Information Exposure. A How to fix Information Exposure? Upgrade |
[,9.0.2)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Use of Hard-coded Constants. The owner of 'placeholder.org' domain can setup mail server on this domain and knowing only name of a client can reset password and then log in. For example, for client name 'test' the email address will be 'service-account-test@placeholder.org'. How to fix Use of Hard-coded Constants? Upgrade |
[,8.0.0)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Information Exposure. Keycloak allows the end user token (access or id token JWT) to be used as the session cookie for browser sessions for OIDC. As a result an attacker with access to service provider backend could hijack user's browser session. How to fix Information Exposure? Upgrade |
[,6.0.1)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). It was found that Keycloak's account console did not perform adequate header checks in some requests. As such, an attacker could use this flaw to trick an authenticated user into performing operations via a forged request from an untrusted domain. How to fix Cross-site Request Forgery (CSRF)? Upgrade |
[,7.0.0)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Access Control Bypass. The SAML broker used within keycloak did not verify missing message signatures. As such, it is possible for an attacker to modify the SAML Response and remove the section and impersonate another user to gain unauthorized access. This is due to the SAML message is still accepted by the package after being tampered with. How to fix Access Control Bypass? Upgrade |
[,7.0.0)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). The How to fix Man-in-the-Middle (MitM)? Upgrade |
[,6.0.0)
|
org.keycloak:keycloak-services is an Open Source Identity and Access Management For Modern Applications and Services. Affected versions of this package are vulnerable to Replay attack due to the SAML broker consumer endpoint which ignored expiration conditions on SAML assertions. How to fix Replay attack? Upgrade |
[,4.6.0.Final)
|
org.keycloak:keycloak-services is an Open Source Identity and Access Management For Modern Applications and Services. Affected versions of this package are vulnerable to Open Redirect via the How to fix Open Redirect? Upgrade |
[,4.5.0.Final)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Access Restriction Bypass. It did not correctly check permissions when handling service account user deletion requests sent to the rest server. An attacker with service account authentication could use this flaw to bypass normal permissions and delete users in a separate realm. How to fix Access Restriction Bypass? Upgrade |
[,2.4.0.Final)
|
Affected versions of the package are vulnerable to Cross-site Request Forgery (CSRF). The org.keycloak.services.resources.SocialResource.callback method in JBoss KeyCloak before 1.0.3.Final allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging lack of CSRF protection. How to fix Cross-site Request Forgery (CSRF)? Upgrade |
[,1.0.3.Final)
|
Affected versions of the package are vulnerable to Cross-site Request Forgery (CSRF). It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks. How to fix Cross-site Request Forgery (CSRF)? Upgrade |
[,3.3.0.Final)
|
Affected versions of the package are vulnerable to Privilege Escalation. It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks How to fix Privilege Escalation? Upgrade |
[,3.3.0.Final)
|
|
[,1.0.2.Final)
|
|
[,1.0.3.Final)
|