org.keycloak:keycloak-services@20.0.4 vulnerabilities

latest version

24.0.3
latest non vulnerable version

24.0.3
first published

10 years ago
latest version published

a month ago
licenses detected
- Apache-2.0
  [1.0-alpha-1,)
package manager

View on Maven Repository

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.keycloak:keycloak-services package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Improper Input Validation org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Input Validation due to improper handling of error messages during the `WebAuthn` authentication or registration process. An attacker can inject malicious content into the logs by sending crafted error messages from the browser client during setup or authentication. How to fix Improper Input Validation? Upgrade `org.keycloak:keycloak-services` to version 23.0.5 or higher.	[,23.0.5)
H Origin Validation Error org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Origin Validation Error due to the `checkLoginIframe` process. An attacker can significantly impact the application's availability by sending millions of requests in seconds using simple code. How to fix Origin Validation Error? Upgrade `org.keycloak:keycloak-services` to version 24.0.3 or higher.	[,24.0.3)
M Authentication Bypass org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Authentication Bypass due to improper enforcement of token types when validating signatures locally. An authenticated attacker could exchange a logout token for an access token and possibly gain access to data outside of enforced permissions. How to fix Authentication Bypass? Upgrade `org.keycloak:keycloak-services` to version 24.0.3 or higher.	[,24.0.3)
H Open Redirect org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Open Redirect due to an issue in the `redirect_uri` validation logic. By exploiting this vulnerability an attacker is allowed to bypass otherwise explicitly allowed hosts. How to fix Open Redirect? Upgrade `org.keycloak:keycloak-services` to version 24.0.3 or higher.	[,24.0.3)
H Cross-site Scripting (XSS) org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to including JavaScript URIs in the SAML Assertion Consumer Service POST Binding URL (ACS). An attacker can execute arbitrary scripts in the context of the embedding origin on form submission. How to fix Cross-site Scripting (XSS)? Upgrade `org.keycloak:keycloak-services` to version 24.0.3 or higher.	[,24.0.3)
M Authorization Bypass Through User-Controlled Key org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key due to a permissive regular expression hardcoded for filtering allowed hosts to register a dynamic client. A unauthorized user with enough information about the environment could benefit and jeopardize an environment with this specific Dynamic Client Registration with `TrustedDomain` configuration. How to fix Authorization Bypass Through User-Controlled Key? Upgrade `org.keycloak:keycloak-services` to version 24.0.3 or higher.	[,24.0.3)
M Missing Critical Step in Authentication org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Missing Critical Step in Authentication in the form of not sufficiently enforcing the second factor in multifactor authentication. A user can register a second factor for a known account, allowing step-up authentication. How to fix Missing Critical Step in Authentication? Upgrade `org.keycloak:keycloak-services` to version 24.0.3 or higher.	[,24.0.3)
M Improper Authorization org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Authorization such that the verified state is not reset when the email changes. It is possible for users to shadow others with the same email and lockout or impersonate them. How to fix Improper Authorization? Upgrade `org.keycloak:keycloak-services` to version 22.0.1 or higher.	[,22.0.1)
M Open Redirect org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Open Redirect due to improper validation of redirect URIs using the `form_post.jwt` response mode. An attacker can redirect a user to a malicious site and potentially steal authorization codes or tokens by exploiting the use of a wildcard in the JARM response. How to fix Open Redirect? Upgrade `org.keycloak:keycloak-services` to version 23.0.4 or higher.	[,23.0.4)
M Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) via the `OIDC redirect_uri` function. An attacker can submit a specially crafted request leading to cross-site scripting or further attacks by appending a wildcard to the token. How to fix Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)? Upgrade `org.keycloak:keycloak-services` to version 22.0.7 or higher.	[,22.0.7)
M LDAP Injection org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to LDAP Injection through the `UsernameForm` login process due to improper escape of LDAP ID. An attacker can access existing usernames in the server by exploiting an LDAP query. How to fix LDAP Injection? Upgrade `org.keycloak:keycloak-services` to version 23.0.1 or higher.	[,23.0.1)
M Credential Exposure org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Credential Exposure. When a user registers with the registration flow, the `password` and `password-confirm` fields from the form are treated as regular attributes. All users and clients with proper rights/roles are able to retrieve the user's passwords in cleartext. How to fix Credential Exposure? Upgrade `org.keycloak:keycloak-services` to version 22.0.3 or higher.	[,22.0.3)
H Improper Certificate Validation org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Certificate Validation for OAuth/OpenID clients. When a Keycloak server is configured to support mTLS authentication for OAuth/OpenID clients, it does not properly verify the client certificate chain. A client with a proper certificate can authorize itself as any other client and, therefore, access data belonging to other clients. How to fix Improper Certificate Validation? Upgrade `org.keycloak:keycloak-services` to version 21.1.2 or higher.	[,21.1.2)
M Cross-site Scripting (XSS) org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper sanitization of URI-schemes on SAML and OIDC via the `AssertionConsumerServiceURL` implementation. Exploiting this vulnerability is possible by sending a crafted SAML XML request. How to fix Cross-site Scripting (XSS)? Upgrade `org.keycloak:keycloak-services` to version 21.1.2 or higher.	[,21.1.2)
L Authentication Bypass by Spoofing org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Authentication Bypass by Spoofing within the Keycloak Device Authorisation Grant due to improper verification of the device code holder. Exploiting this vulnerability is possible under certain pre-conditions and it allows an attacker to spoof parts of the device flow and use a `device_code` to retrieve an access token for other OAuth clients. How to fix Authentication Bypass by Spoofing? Upgrade `org.keycloak:keycloak-services` to version 21.1.2 or higher.	[,21.1.2)
H Insufficient Verification of Data Authenticity org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity such that Keycloak's OpenID Connect user authentication was found to incorrectly authenticate requests. An authenticated attacker who could also obtain a certain piece of info from a user request, from a victim within the same realm, can use that data to impersonate the victim and generate new session tokens. How to fix Insufficient Verification of Data Authenticity? Upgrade `org.keycloak:keycloak-services` to version 21.0.1 or higher.	[,21.0.1)
M Cross-site Scripting (XSS) org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper user-input sanitization in the `oob` OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker. How to fix Cross-site Scripting (XSS)? Upgrade `org.keycloak:keycloak-services` to version 21.0.0 or higher.	[,21.0.0)
M Cross-site Scripting (XSS) org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) which allows an admin user impersonating another user to inject code into a submitted HTML entity. How to fix Cross-site Scripting (XSS)? Upgrade `org.keycloak:keycloak-services` to version 20.0.5 or higher.	[0,20.0.5)

Go back to all versions of this package

org.keycloak:keycloak-services@20.0.4 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities