org.keycloak:keycloak-core 18.0.1 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.keycloak:keycloak-core package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Exposure of Sensitive Information Through Environmental Variables org.keycloak:keycloak-core is an open source identity and access management solution. Affected versions of this package are vulnerable to Exposure of Sensitive Information Through Environmental Variables through user-configurable URLs. Exploiting this vulnerability is possible with the configuration of backchannel logout URLs or admin URLs, when including placeholders like `${env.VARNAME}` or `${PROPNAME}`, which are replaced with actual values during URL processing. An attacker can access sensitive server environment variables and system properties. How to fix Exposure of Sensitive Information Through Environmental Variables? Upgrade `org.keycloak:keycloak-core` to version 26.0.8 or higher.	[,26.0.8)
M Use of a Key Past its Expiration Date org.keycloak:keycloak-core is an open source identity and access management solution. Affected versions of this package are vulnerable to Use of a Key Past its Expiration Date due to the extended validation period of `OTP` codes. An attacker can gain unauthorized access by using expired OTP codes that should no longer be valid. How to fix Use of a Key Past its Expiration Date? Upgrade `org.keycloak:keycloak-core` to version 24.0.7, 25.0.4 or higher.	[,24.0.7)[25.0.0,25.0.4)
H Improper Handling of Extra Values org.keycloak:keycloak-core is an open source identity and access management solution. Affected versions of this package are vulnerable to Improper Handling of Extra Values due to the lack of limitation on the number of attributes per object. An attacker can cause resource exhaustion by sending repeated HTTP requests that result in the application sending back rows with long attribute values. How to fix Improper Handling of Extra Values? Upgrade `org.keycloak:keycloak-core` to version 24.0.0 or higher.	[0,24.0.0)
M Unprotected Transport of Credentials org.keycloak:keycloak-core is an open source identity and access management solution. Affected versions of this package are vulnerable to Unprotected Transport of Credentials for the LDAP testing endpoint, which allows the modification of the `Connection URL` without entering the LDAP bind credentials. An attacker with `manage-realm` permission can redirect the LDAP host to an arbitrary URL. How to fix Unprotected Transport of Credentials? Upgrade `org.keycloak:keycloak-core` to version 24.0.6, 25.0.1 or higher.	[,24.0.6)[25.0.0,25.0.1)
M Cross-site Scripting (XSS) org.keycloak:keycloak-core is an open source identity and access management solution. Affected versions of this package are vulnerable to Cross-site Scripting (XSS). The ”Groups” dropdown in ”Add user” is not escaped properly. It allows a privileged attacker to use the malicious payload as the group name while creating a new group from the admin console. How to fix Cross-site Scripting (XSS)? Upgrade `org.keycloak:keycloak-core` to version 20.0.0 or higher.	[16.0.1,20.0.0)
M Improper Certificate Validation org.keycloak:keycloak-core is an open source identity and access management solution. Affected versions of this package are vulnerable to Improper Certificate Validation due to allowing unintended access of an untrusted certificate when using `Revalidate Client Certificate` and when `KC_SPI_TRUSTSTORE_FILE_FILE` is misconfigured. How to fix Improper Certificate Validation? Upgrade `org.keycloak:keycloak-core` to version 21.1.2 or higher.	[0,21.1.2)

Vulnerability

Vulnerable Version

Exposure of Sensitive Information Through Environmental Variables

org.keycloak:keycloak-core is an open source identity and access management solution.

Affected versions of this package are vulnerable to Exposure of Sensitive Information Through Environmental Variables through user-configurable URLs.

Exploiting this vulnerability is possible with the configuration of backchannel logout URLs or admin URLs, when including placeholders like ${env.VARNAME} or ${PROPNAME}, which are replaced with actual values during URL processing. An attacker can access sensitive server environment variables and system properties.

How to fix Exposure of Sensitive Information Through Environmental Variables?

Upgrade org.keycloak:keycloak-core to version 26.0.8 or higher.

[,26.0.8)

Use of a Key Past its Expiration Date

org.keycloak:keycloak-core is an open source identity and access management solution.

Affected versions of this package are vulnerable to Use of a Key Past its Expiration Date due to the extended validation period of OTP codes. An attacker can gain unauthorized access by using expired OTP codes that should no longer be valid.

How to fix Use of a Key Past its Expiration Date?

Upgrade org.keycloak:keycloak-core to version 24.0.7, 25.0.4 or higher.

[,24.0.7)[25.0.0,25.0.4)

Improper Handling of Extra Values

org.keycloak:keycloak-core is an open source identity and access management solution.

Affected versions of this package are vulnerable to Improper Handling of Extra Values due to the lack of limitation on the number of attributes per object. An attacker can cause resource exhaustion by sending repeated HTTP requests that result in the application sending back rows with long attribute values.

How to fix Improper Handling of Extra Values?

Upgrade org.keycloak:keycloak-core to version 24.0.0 or higher.

[0,24.0.0)

Unprotected Transport of Credentials

org.keycloak:keycloak-core is an open source identity and access management solution.

Affected versions of this package are vulnerable to Unprotected Transport of Credentials for the LDAP testing endpoint, which allows the modification of the Connection URL without entering the LDAP bind credentials. An attacker with manage-realm permission can redirect the LDAP host to an arbitrary URL.

How to fix Unprotected Transport of Credentials?

Upgrade org.keycloak:keycloak-core to version 24.0.6, 25.0.1 or higher.

[,24.0.6)[25.0.0,25.0.1)

Cross-site Scripting (XSS)

org.keycloak:keycloak-core is an open source identity and access management solution.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). The ”Groups” dropdown in ”Add user” is not escaped properly. It allows a privileged attacker to use the malicious payload as the group name while creating a new group from the admin console.

How to fix Cross-site Scripting (XSS)?

Upgrade org.keycloak:keycloak-core to version 20.0.0 or higher.

[16.0.1,20.0.0)

Improper Certificate Validation

org.keycloak:keycloak-core is an open source identity and access management solution.

Affected versions of this package are vulnerable to Improper Certificate Validation due to allowing unintended access of an untrusted certificate when using Revalidate Client Certificate and when KC_SPI_TRUSTSTORE_FILE_FILE is misconfigured.

How to fix Improper Certificate Validation?

Upgrade org.keycloak:keycloak-core to version 21.1.2 or higher.

[0,21.1.2)

org.keycloak:keycloak-core@18.0.1 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically