org.keycloak:keycloak-services@23.0.0 vulnerabilities

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Path Traversal due to improper URL validation in the redirection process. An attacker can construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain.

Note: This flaw is particularly concerning for any client that utilizes a wildcard in the Valid Redirect URIs field.

Upgrade org.keycloak:keycloak-services to version 24.0.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Input Validation due to improper handling of error messages during the WebAuthn authentication or registration process. An attacker can inject malicious content into the logs by sending crafted error messages from the browser client during setup or authentication.

Upgrade org.keycloak:keycloak-services to version 23.0.5 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Origin Validation Error due to the checkLoginIframe process. An attacker can significantly impact the application's availability by sending millions of requests in seconds using simple code.

Upgrade org.keycloak:keycloak-services to version 24.0.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Authentication Bypass due to improper enforcement of token types when validating signatures locally. An authenticated attacker could exchange a logout token for an access token and possibly gain access to data outside of enforced permissions.

Upgrade org.keycloak:keycloak-services to version 24.0.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Open Redirect due to an issue in the redirect_uri validation logic. By exploiting this vulnerability an attacker is allowed to bypass otherwise explicitly allowed hosts.

Upgrade org.keycloak:keycloak-services to version 24.0.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to including JavaScript URIs in the SAML Assertion Consumer Service POST Binding URL (ACS). An attacker can execute arbitrary scripts in the context of the embedding origin on form submission.

Upgrade org.keycloak:keycloak-services to version 24.0.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key due to a permissive regular expression hardcoded for filtering allowed hosts to register a dynamic client. A unauthorized user with enough information about the environment could benefit and jeopardize an environment with this specific Dynamic Client Registration with TrustedDomain configuration.

Upgrade org.keycloak:keycloak-services to version 24.0.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Missing Critical Step in Authentication in the form of not sufficiently enforcing the second factor in multifactor authentication. A user can register a second factor for a known account, allowing step-up authentication.

Upgrade org.keycloak:keycloak-services to version 24.0.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Open Redirect due to improper validation of redirect URIs using the form_post.jwt response mode. An attacker can redirect a user to a malicious site and potentially steal authorization codes or tokens by exploiting the use of a wildcard in the JARM response.

Upgrade org.keycloak:keycloak-services to version 23.0.4 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to LDAP Injection through the UsernameForm login process due to improper escape of LDAP ID. An attacker can access existing usernames in the server by exploiting an LDAP query.

Upgrade org.keycloak:keycloak-services to version 23.0.1 or higher.