org.keycloak:keycloak-services@20.0.4 vulnerabilities
-
latest version
24.0.3
-
latest non vulnerable version
-
first published
10 years ago
-
latest version published
a month ago
-
licenses detected
- [1.0-alpha-1,)
-
package manager
Direct Vulnerabilities
Known vulnerabilities in the org.keycloak:keycloak-services package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.Vulnerability | Vulnerable Version |
---|---|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Input Validation due to improper handling of error messages during the How to fix Improper Input Validation? Upgrade |
[,23.0.5)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Origin Validation Error due to the How to fix Origin Validation Error? Upgrade |
[,24.0.3)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Authentication Bypass due to improper enforcement of token types when validating signatures locally. An authenticated attacker could exchange a logout token for an access token and possibly gain access to data outside of enforced permissions. How to fix Authentication Bypass? Upgrade |
[,24.0.3)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Open Redirect due to an issue in the How to fix Open Redirect? Upgrade |
[,24.0.3)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to including JavaScript URIs in the SAML Assertion Consumer Service POST Binding URL (ACS). An attacker can execute arbitrary scripts in the context of the embedding origin on form submission. How to fix Cross-site Scripting (XSS)? Upgrade |
[,24.0.3)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key due to a permissive regular expression hardcoded for filtering allowed hosts to register a dynamic client. A unauthorized user with enough information about the environment could benefit and jeopardize an environment with this specific Dynamic Client Registration with How to fix Authorization Bypass Through User-Controlled Key? Upgrade |
[,24.0.3)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Missing Critical Step in Authentication in the form of not sufficiently enforcing the second factor in multifactor authentication. A user can register a second factor for a known account, allowing step-up authentication. How to fix Missing Critical Step in Authentication? Upgrade |
[,24.0.3)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Authorization such that the verified state is not reset when the email changes. It is possible for users to shadow others with the same email and lockout or impersonate them. How to fix Improper Authorization? Upgrade |
[,22.0.1)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Open Redirect due to improper validation of redirect URIs using the How to fix Open Redirect? Upgrade |
[,23.0.4)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) via the How to fix Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)? Upgrade |
[,22.0.7)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to LDAP Injection through the How to fix LDAP Injection? Upgrade |
[,23.0.1)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Credential Exposure. When a user registers with the registration flow, the How to fix Credential Exposure? Upgrade |
[,22.0.3)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Certificate Validation for OAuth/OpenID clients. When a Keycloak server is configured to support mTLS authentication for OAuth/OpenID clients, it does not properly verify the client certificate chain. A client with a proper certificate can authorize itself as any other client and, therefore, access data belonging to other clients. How to fix Improper Certificate Validation? Upgrade |
[,21.1.2)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper sanitization of URI-schemes on SAML and OIDC via the How to fix Cross-site Scripting (XSS)? Upgrade |
[,21.1.2)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Authentication Bypass by Spoofing within the Keycloak Device Authorisation Grant due to improper verification of the device code holder.
Exploiting this vulnerability is possible under certain pre-conditions and it allows an attacker to spoof parts of the device flow and use a How to fix Authentication Bypass by Spoofing? Upgrade |
[,21.1.2)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity such that Keycloak's OpenID Connect user authentication was found to incorrectly authenticate requests. An authenticated attacker who could also obtain a certain piece of info from a user request, from a victim within the same realm, can use that data to impersonate the victim and generate new session tokens. How to fix Insufficient Verification of Data Authenticity? Upgrade |
[,21.0.1)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper user-input sanitization in the How to fix Cross-site Scripting (XSS)? Upgrade |
[,21.0.0)
|
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) which allows an admin user impersonating another user to inject code into a submitted HTML entity. How to fix Cross-site Scripting (XSS)? Upgrade |
[0,20.0.5)
|