org.keycloak:keycloak-services 26.3.5 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.keycloak:keycloak-services package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
L Insufficient Session Expiration org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Insufficient Session Expiration in the "Remember Me" realm setting. An attacker with a long-lived "Remember Me" session (e.g., stole the identity cookie) can maintain access for the full original remember-me lifetime to gain unauthorized access to sensitive information or perform actions as another user. How to fix Insufficient Session Expiration? There is no fixed version for `org.keycloak:keycloak-services`.	[0,)
M Exposure of Sensitive System Information to an Unauthorized Control Sphere org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere via the `/admin/serverinfo` endpoint, which exposes internal server details, when an authenticated user logs into the system or accesses the admin console. Note: Direct access to this endpoint returns a 401 Unauthorized error. How to fix Exposure of Sensitive System Information to an Unauthorized Control Sphere? There is no fixed version for `org.keycloak:keycloak-services`.	[0,)

Vulnerability

Vulnerable Version

Insufficient Session Expiration

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Insufficient Session Expiration in the "Remember Me" realm setting. An attacker with a long-lived "Remember Me" session (e.g., stole the identity cookie) can maintain access for the full original remember-me lifetime to gain unauthorized access to sensitive information or perform actions as another user.

How to fix Insufficient Session Expiration?

There is no fixed version for org.keycloak:keycloak-services.

[0,)

Exposure of Sensitive System Information to an Unauthorized Control Sphere

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere via the /admin/serverinfo endpoint, which exposes internal server details, when an authenticated user logs into the system or accesses the admin console.

Note: Direct access to this endpoint returns a 401 Unauthorized error.

How to fix Exposure of Sensitive System Information to an Unauthorized Control Sphere?

There is no fixed version for org.keycloak:keycloak-services.

[0,)

org.keycloak:keycloak-services@26.3.5 vulnerabilities

latest version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically