org.keycloak:keycloak-services 26.3.2 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.keycloak:keycloak-services package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Exposure of Sensitive System Information to an Unauthorized Control Sphere org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere via the `/admin/serverinfo` endpoint, which exposes internal server details, when an authenticated user logs into the system or accesses the admin console. Note: Direct access to this endpoint returns a 401 Unauthorized error. How to fix Exposure of Sensitive System Information to an Unauthorized Control Sphere? There is no fixed version for `org.keycloak:keycloak-services`.	[0,)
L Improper Privilege Management org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Privilege Management via improper privilege enforcement in the Fine-Grained Admin Permissions process. An attacker can gain unauthorized administrative access by leveraging a user account with the `manage-users` role to escalate privileges to realm-admin. This is because policies and permissions share the same table internally. Note: It is recommended to use a unique name for the permission; The name must not conflict with any policy name. How to fix Improper Privilege Management? There is no fixed version for `org.keycloak:keycloak-services`.	[0,)

Vulnerability

Vulnerable Version

Exposure of Sensitive System Information to an Unauthorized Control Sphere

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere via the /admin/serverinfo endpoint, which exposes internal server details, when an authenticated user logs into the system or accesses the admin console.

Note: Direct access to this endpoint returns a 401 Unauthorized error.

How to fix Exposure of Sensitive System Information to an Unauthorized Control Sphere?

There is no fixed version for org.keycloak:keycloak-services.

[0,)

Improper Privilege Management

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Privilege Management via improper privilege enforcement in the Fine-Grained Admin Permissions process. An attacker can gain unauthorized administrative access by leveraging a user account with the manage-users role to escalate privileges to realm-admin. This is because policies and permissions share the same table internally.

Note: It is recommended to use a unique name for the permission; The name must not conflict with any policy name.

How to fix Improper Privilege Management?

There is no fixed version for org.keycloak:keycloak-services.

[0,)

org.keycloak:keycloak-services@26.3.2 vulnerabilities

latest version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

How to fix?