org.keycloak:keycloak-services@3.2.1.Final vulnerabilities

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Input Validation due to improper handling of error messages during the WebAuthn authentication or registration process. An attacker can inject malicious content into the logs by sending crafted error messages from the browser client during setup or authentication.

Upgrade org.keycloak:keycloak-services to version 23.0.5 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Origin Validation Error due to the checkLoginIframe process. An attacker can significantly impact the application's availability by sending millions of requests in seconds using simple code.

Upgrade org.keycloak:keycloak-services to version 24.0.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Authentication Bypass due to improper enforcement of token types when validating signatures locally. An authenticated attacker could exchange a logout token for an access token and possibly gain access to data outside of enforced permissions.

Upgrade org.keycloak:keycloak-services to version 24.0.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Open Redirect due to an issue in the redirect_uri validation logic. By exploiting this vulnerability an attacker is allowed to bypass otherwise explicitly allowed hosts.

Upgrade org.keycloak:keycloak-services to version 24.0.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to including JavaScript URIs in the SAML Assertion Consumer Service POST Binding URL (ACS). An attacker can execute arbitrary scripts in the context of the embedding origin on form submission.

Upgrade org.keycloak:keycloak-services to version 24.0.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key due to a permissive regular expression hardcoded for filtering allowed hosts to register a dynamic client. A unauthorized user with enough information about the environment could benefit and jeopardize an environment with this specific Dynamic Client Registration with TrustedDomain configuration.

Upgrade org.keycloak:keycloak-services to version 24.0.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Missing Critical Step in Authentication in the form of not sufficiently enforcing the second factor in multifactor authentication. A user can register a second factor for a known account, allowing step-up authentication.

Upgrade org.keycloak:keycloak-services to version 24.0.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Information Exposure due to not properly checking client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information.

Upgrade org.keycloak:keycloak-services to version 20.0.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Authorization such that the verified state is not reset when the email changes. It is possible for users to shadow others with the same email and lockout or impersonate them.

Upgrade org.keycloak:keycloak-services to version 22.0.1 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Open Redirect due to improper validation of redirect URIs using the form_post.jwt response mode. An attacker can redirect a user to a malicious site and potentially steal authorization codes or tokens by exploiting the use of a wildcard in the JARM response.

Upgrade org.keycloak:keycloak-services to version 23.0.4 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) via the OIDC redirect_uri function. An attacker can submit a specially crafted request leading to cross-site scripting or further attacks by appending a wildcard to the token.

Upgrade org.keycloak:keycloak-services to version 22.0.7 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to LDAP Injection through the UsernameForm login process due to improper escape of LDAP ID. An attacker can access existing usernames in the server by exploiting an LDAP query.

Upgrade org.keycloak:keycloak-services to version 23.0.1 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Credential Exposure. When a user registers with the registration flow, the password and password-confirm fields from the form are treated as regular attributes. All users and clients with proper rights/roles are able to retrieve the user's passwords in cleartext.

Upgrade org.keycloak:keycloak-services to version 22.0.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Certificate Validation for OAuth/OpenID clients. When a Keycloak server is configured to support mTLS authentication for OAuth/OpenID clients, it does not properly verify the client certificate chain. A client with a proper certificate can authorize itself as any other client and, therefore, access data belonging to other clients.

Upgrade org.keycloak:keycloak-services to version 21.1.2 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper sanitization of URI-schemes on SAML and OIDC via the AssertionConsumerServiceURL implementation. Exploiting this vulnerability is possible by sending a crafted SAML XML request.

Upgrade org.keycloak:keycloak-services to version 21.1.2 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Authentication Bypass by Spoofing within the Keycloak Device Authorisation Grant due to improper verification of the device code holder. Exploiting this vulnerability is possible under certain pre-conditions and it allows an attacker to spoof parts of the device flow and use a device_code to retrieve an access token for other OAuth clients.

Upgrade org.keycloak:keycloak-services to version 21.1.2 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity such that Keycloak's OpenID Connect user authentication was found to incorrectly authenticate requests. An authenticated attacker who could also obtain a certain piece of info from a user request, from a victim within the same realm, can use that data to impersonate the victim and generate new session tokens.

Upgrade org.keycloak:keycloak-services to version 21.0.1 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper user-input sanitization in the oob OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker.

Upgrade org.keycloak:keycloak-services to version 21.0.0 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the execute-actions-email endpoint in the admin REST API. Users can inject HTML into emails sent to other users.

Upgrade org.keycloak:keycloak-services to version 20.0.4 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) which allows an admin user impersonating another user to inject code into a submitted HTML entity.

Upgrade org.keycloak:keycloak-services to version 20.0.5 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Directory Traversal due to not properly validating URLs included in a redirect. An attacker could construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain, or possibly conduct further attacks.

Upgrade org.keycloak:keycloak-services to version 20.0.2 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Exposure of Data Element to Wrong Session when using a client with the offline_access scope. Reuse of session ids across root and user authentication sessions and a lack of root session validation enabled attackers to resolve a user session attached to a different previously authenticated user.

Upgrade org.keycloak:keycloak-services to version 20.0.2 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Access Restriction Bypass due to missing authorization. This allows a client application, holding a valid access token, to exchange tokens for any target client, bypassing the client_id of the target and allowing a client to gain unauthorized access to additional services.

Upgrade org.keycloak:keycloak-services to version 18.0.0 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Information Exposure. When a malicious actor causes an account lockdown by brute-forcing the credentials, they may then continue to attempt to log-in, and will be notified that the account is locked when the input password is correct.

Upgrade org.keycloak:keycloak-services to version 13.0.0 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Authentication due to a flaw in the reset credentials flow, which allows an attacker to gain unauthorized access to the application.

Upgrade org.keycloak:keycloak-services to version 8.0.0 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Directory Traversal due to missing sanitization in ClassLoaderTheme and ClasspathThemeResourceProviderFactory which allows reading any file available as a resource to the classloader.

Upgrade org.keycloak:keycloak-services to version 15.1.0 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Authentication. For each SAML client it is possible to send an AuthnRequest message via SOAP with Basic Authorization header and Keycloak will successfully authenticate the user for the client and will not consider the authentication flow applied. The presence of the flow is hidden from the administrator, it is not possible to disable it in the client's configuration similarly as direct grant etc.

Upgrade org.keycloak:keycloak-services to version 18.0.0 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Authentication. Anyone can register a new device for an account when there is no device registered for passwordless login.

Upgrade org.keycloak:keycloak-services to version 15.1.0 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Insecure Permissions. A flaw was found in Keycloak where it is possible to update the user's metadata attributes using Account REST API. This flaw allows an attacker to change its own NameID attribute to impersonate the admin user for any particular application.

Upgrade org.keycloak:keycloak-services to version 12.0.0 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Insecure Temporary File. A flaw was found in keycloak. Directories can be created prior to the Java process creating them in the temporary directory, but with wider user permissions, allowing the attacker to have access to the contents that keycloak stores in this directory. The highest threat from this vulnerability is to data confidentiality and integrity.

Upgrade org.keycloak:keycloak-services to version 13.0.0 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Access Control. Keycloak may fail to logout user session if the logout request comes from an external SAML identity provider and Principal Type is set to Attribute Name.

Upgrade org.keycloak:keycloak-services to version 14.0.0 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Information Exposure. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later.

Upgrade org.keycloak:keycloak-services to version 13.0.0 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to User Impersonation when a malicious user can register himself with a name already registered, and trick admin to grant him extra privileges.

Upgrade org.keycloak:keycloak-services to version 18.0.0 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Input Validation. Depending on the webserver configuration, a malicious user can supply an expired certificate and it would be accepted by Keycloak direct-grant authenticator. This is because Keycloak does not trigger the appropriate timestamp validation.

Upgrade org.keycloak:keycloak-services to version 9.0.0 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via createRealm.

Upgrade org.keycloak:keycloak-services to version 12.0.0 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF) via request_uri, using OIDC parameter which can force the server to call out an unverified URL.

Upgrade org.keycloak:keycloak-services to version 12.0.2 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Directory Traversal while using URL-encoded path segments in the request. It is possible because the resources endpoint applies a transformation of the url path to the file path. Only few specific folder hierarchies can be exposed by this flaw

Upgrade org.keycloak:keycloak-services to version 11.0.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Input Validation. There is a missing input validation in IDP authorization URLs.

Upgrade org.keycloak:keycloak-services to version 9.0.2 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Certificate Validation. It does not perform TLS hostname verification when sending emails via an SMTP server which could result in information disclosure.

Upgrade org.keycloak:keycloak-services to version 10.0.0 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Information Disclosure. It allows a malicious user that is currently logged in, to see the personal information of a previously logged out user in the account manager section.

Upgrade org.keycloak:keycloak-services to version 9.0.2 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Code Injection. A flaw was found in the Keycloak admin console, where the realm management interface permits a script to be set via the policy. This flaw allows an attacker with authenticated user and realm management permissions to configure a malicious script to trigger and execute arbitrary code with the permissions of the application user.

Upgrade org.keycloak:keycloak-services to version 8.0.0 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Information Exposure. A failedLogin Event is not sent to BruteForceProtector when using Post Login Flow with Conditional-OTP, allowing attackers to use brute-force login techniques.

Upgrade org.keycloak:keycloak-services to version 9.0.2 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Use of Hard-coded Constants. The owner of 'placeholder.org' domain can setup mail server on this domain and knowing only name of a client can reset password and then log in. For example, for client name 'test' the email address will be 'service-account-test@placeholder.org'.

Upgrade org.keycloak:keycloak-services to version 8.0.0 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Information Exposure. Keycloak allows the end user token (access or id token JWT) to be used as the session cookie for browser sessions for OIDC. As a result an attacker with access to service provider backend could hijack user's browser session.

Upgrade org.keycloak:keycloak-services to version 6.0.1 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). It was found that Keycloak's account console did not perform adequate header checks in some requests. As such, an attacker could use this flaw to trick an authenticated user into performing operations via a forged request from an untrusted domain.

Upgrade org.keycloak:keycloak-services to version 7.0.0 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Access Control Bypass. The SAML broker used within keycloak did not verify missing message signatures. As such, it is possible for an attacker to modify the SAML Response and remove the section and impersonate another user to gain unauthorized access. This is due to the SAML message is still accepted by the package after being tampered with.

Upgrade org.keycloak:keycloak-services to version 7.0.0 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). The X.509 authenticator supports the verification of client certificates through the CRL, where the CRL list can be obtained from the URL provided in the certificate itself (CDP) or through the separately configured path. The CRL are often available over the network through unsecured protocols (http or ldap) and hence the caller should verify the signature and possibly the certification path. Keycloak currently doesn't validate signatures on CRL, which can result in a possibility of various attacks like man-in-the-middle.

Upgrade org.keycloak:keycloak-services to version 6.0.0 or higher.

org.keycloak:keycloak-services is an Open Source Identity and Access Management For Modern Applications and Services.

Affected versions of this package are vulnerable to Replay attack due to the SAML broker consumer endpoint which ignored expiration conditions on SAML assertions.

Upgrade org.keycloak:keycloak-services to version 4.6.0 or higher.

org.keycloak:keycloak-services is an Open Source Identity and Access Management For Modern Applications and Services.

Affected versions of this package are vulnerable to Open Redirect via the org.keycloak.protocol.oidc.utils.RedirectUtils path. The Redirect URL for both Login and Logout are not normalized before the redirect url is verified.

Upgrade org.keycloak:keycloak-services to version 4.5.0 or higher.

org.keycloak:keycloak-services is an open Source Identity and Access Management for modern Applications and Services.

Affected versions of the package are vulnerable to Cross-site Request Forgery (CSRF). It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks.

Upgrade org.keycloak:keycloak-services to version 3.3.0.Final or higher.

org.keycloak:keycloak-services is an open Source Identity and Access Management for modern Applications and Services.

Affected versions of the package are vulnerable to Privilege Escalation. It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks

Upgrade org.keycloak:keycloak-services to version 3.3.0.Final or higher.