org.keycloak:keycloak-services@26.6.4

  • latest version

    26.6.4

  • first published

    12 years ago

  • latest version published

    5 days ago

  • licenses detected

  • package registry

  • Direct Vulnerabilities

    Known vulnerabilities in the org.keycloak:keycloak-services package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Improper Verification of Cryptographic Signature

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the JWT Authorization Grant flow due to algorithm confusion in signature verification. An attacker can gain unauthorized access and potentially escalate privileges by forging assertions and creating unauthorized access tokens.

    How to fix Improper Verification of Cryptographic Signature?

    A fix was pushed into the master branch but not yet published.

    [0,)
    • H
    Incorrect Authorization

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Incorrect Authorization via the partialImport feature. An attacker can gain unauthorized administrative privileges by leveraging the POST /admin/realms/{realm}/partialImport endpoint to import users with elevated role mappings, thereby bypassing intended permission restrictions.

    How to fix Incorrect Authorization?

    A fix was pushed into the master branch but not yet published.

    [0,)
    • L
    Improper Validation of Consistency within Input

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Improper Validation of Consistency within Input via the authentication process when a client is configured with a wildcard redirect URI. An attacker can cause the client application to incorrectly process attacker-controlled OIDC response parameters by crafting a malicious authorization URL and tricking a user into clicking it.

    How to fix Improper Validation of Consistency within Input?

    A fix was pushed into the master branch but not yet published.

    [0,)
    • H
    Improper Verification of Cryptographic Signature

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the requestObjectSignatureAlg policy bypass during the processing of JWE-encrypted request objects containing raw JSON plaintext. An attacker can submit unauthorized claims by crafting specially formed JWE-encrypted request objects, potentially compromising data integrity within the OpenID Connect authorization flow.

    How to fix Improper Verification of Cryptographic Signature?

    There is no fixed version for org.keycloak:keycloak-services.

    [0,)
    • H
    Time-of-check Time-of-use (TOCTOU) Race Condition

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition in the role rename endpoint. An attacker can gain unauthorized administrative privileges by exploiting a timing window between permission checks and their enforcement. The attacker can escalate their access to realm-wide administrative control, even after their original permissions are revoked and across system reboots.

    How to fix Time-of-check Time-of-use (TOCTOU) Race Condition?

    A fix was pushed into the master branch but not yet published.

    [0,)