org.keycloak:keycloak-server-spi-private 4.8.2.Final

Direct Vulnerabilities

Known vulnerabilities in the org.keycloak:keycloak-server-spi-private package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Authentication Bypass by Primary Weakness org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Authentication Bypass by Primary Weakness via the SAML Identity Provider authentication process when it is disabled. An attacker can gain unauthorized access by exploiting the ability to authenticate through a provider that should not be available. How to fix Authentication Bypass by Primary Weakness? Upgrade `org.keycloak:keycloak-server-spi-private` to version 26.2.14, 26.4.10, 26.5.5 or higher.	[,26.2.14)[26.3.0,26.4.10)[26.5.0,26.5.5)
H Authorization Bypass Through User-Controlled Key org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the `IdentityBrokerService.performLogin` endpoint. An attacker can gain unauthorized access and bypass administrative restrictions by reusing a previously generated login request referencing a disabled external identity provider. How to fix Authorization Bypass Through User-Controlled Key? Upgrade `org.keycloak:keycloak-server-spi-private` to version 26.2.14, 26.4.10, 26.5.5 or higher.	[,26.2.14)[26.3.0,26.4.10)[26.5.0,26.5.5)
M Access Control Bypass org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Access Control Bypass due to the `DefaultAttributes` attribute filtering in the user profile management. An attacker with `manage-users` permission can make unauthorized modifications to user profile attributes even when the “Only administrators can view” policy is enabled by bypassing the edit restriction on unmanaged attributes. How to fix Access Control Bypass? Upgrade `org.keycloak:keycloak-server-spi-private` to version 26.5.2 or higher.	[,26.5.2)
M Incorrect Privilege Assignment org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Incorrect Privilege Assignment via the Admin API. An attacker can access sensitive user attributes by sending crafted requests with limited administrator privileges. Note: This is only exploitable if the attacker has a valid account on the realm, has view-users role and the target realm uses the User Profile feature with custom attributes set to restricted visibility. How to fix Incorrect Privilege Assignment? Upgrade `org.keycloak:keycloak-server-spi-private` to version 26.5.2 or higher.	[,26.5.2)
M Access Control Bypass org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Access Control Bypass via insufficient authorization checks on the `/admin/realms/{realm}/roles` endpoint. A remote authenticated attacker with high-privileges can access sensitive role metadata by sending crafted requests with elevated privileges. How to fix Access Control Bypass? Upgrade `org.keycloak:keycloak-server-spi-private` to version 26.5.0 or higher.	[0,26.5.0)
M CRLF Injection org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to CRLF Injection during the e-mail registration. An attacker can cause the system to send unsolicited emails limited to 64 characters by injecting special characters into the email input field. How to fix CRLF Injection? Upgrade `org.keycloak:keycloak-server-spi-private` to version 26.3.3 or higher.	[,26.3.3)
M Origin Validation Error org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Origin Validation Error via the `review profile` process. An attacker can gain unauthorized access to another user's account by initiating an account merge during an identity provider login and modifying their email address to match the victim's, which results in a verification email being sent to the victim. If the victim clicks the verification link, the attacker is able to access the victim's account. Note: This is only exploitable if IdP is configured in Keycloak and the attacker has access both to a registered Keycloak and identity provider account. Additionally, an attacker would need to know the email or Keycloak username of the victim. Finally, the victim would need to accept the verification link within the 5 minutes that the token is active. How to fix Origin Validation Error? Upgrade `org.keycloak:keycloak-server-spi-private` to version 26.3.0 or higher.	[,26.3.0)
M Denial of Service (DoS) org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Denial of Service (DoS) by modification of security headers and inserting newlines. An attacker can cause the server to process a terminated request, leading to service failure. Note: This is only exploitable if the attacker can change realm settings. How to fix Denial of Service (DoS)? Upgrade `org.keycloak:keycloak-server-spi-private` to version 26.0.8 or higher.	[,26.0.8)
H URL Redirection to Untrusted Site ('Open Redirect') org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to URL Redirection to Untrusted Site ('Open Redirect') due to a misconfiguration flaw in the validation of redirect URIs. An attacker can redirect users to an arbitrary URL and potentially expose sensitive information such as authorization codes, leading to session hijacking. Note: This is only exploitable if a 'Valid Redirect URI' is set to `http://localhost` or `http://127.0.0.1`. How to fix URL Redirection to Untrusted Site ('Open Redirect')? Upgrade `org.keycloak:keycloak-server-spi-private` to version 22.0.13, 24.0.8, 25.0.6 or higher.	[,22.0.13)[23.0.0,24.0.8)[25.0.0,25.0.6)
M Missing Critical Step in Authentication org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Missing Critical Step in Authentication in the form of not sufficiently enforcing the second factor in multifactor authentication. A user can register a second factor for a known account, allowing step-up authentication. How to fix Missing Critical Step in Authentication? Upgrade `org.keycloak:keycloak-server-spi-private` to version 22.0.10, 24.0.3 or higher.	[,22.0.10)[23.0.0,24.0.3)
L Authentication Bypass by Spoofing org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Authentication Bypass by Spoofing within the Keycloak Device Authorisation Grant due to improper verification of the device code holder. Exploiting this vulnerability is possible under certain pre-conditions and it allows an attacker to spoof parts of the device flow and use a `device_code` to retrieve an access token for other OAuth clients. How to fix Authentication Bypass by Spoofing? Upgrade `org.keycloak:keycloak-server-spi-private` to version 21.1.2 or higher.	[,21.1.2)
M Information Exposure org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Information Exposure. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. How to fix Information Exposure? Upgrade `org.keycloak:keycloak-server-spi-private` to version 13.0.0 or higher.	[,13.0.0)
M Cross-site Scripting (XSS) org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Cross-site Scripting (XSS). Keycloak's data filter would allow some data URLs to be navigated in some circumstances. An attacker could use this flaw to conduct cross-site scripting attacks. This vulnerability is related to an incomplete fix of `CVE-2020-1697`. How to fix Cross-site Scripting (XSS)? Upgrade `org.keycloak:keycloak-server-spi-private` to version 11.0.3 or higher.	[,11.0.3)
M Cross-site Scripting (XSS) org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Cross-site Scripting (XSS). Links to external applications (Application Links) in the admin console are not validated properly. How to fix Cross-site Scripting (XSS)? Upgrade `org.keycloak:keycloak-server-spi-private` to version 9.0.0 or higher.	[,9.0.0)
M Man-in-the-Middle (MitM) org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). The `X.509` authenticator supports the verification of client certificates through the CRL, where the CRL list can be obtained from the URL provided in the certificate itself (CDP) or through the separately configured path. The CRL are often available over the network through unsecured protocols (`http` or `ldap`) and hence the caller should verify the signature and possibly the certification path. Keycloak currently doesn't validate signatures on CRL, which can result in a possibility of various attacks like man-in-the-middle. How to fix Man-in-the-Middle (MitM)? Upgrade `org.keycloak:keycloak-server-spi-private` to version 6.0.0 or higher.	[,6.0.0)

Vulnerability

Vulnerable Version

Authentication Bypass by Primary Weakness

org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Authentication Bypass by Primary Weakness via the SAML Identity Provider authentication process when it is disabled. An attacker can gain unauthorized access by exploiting the ability to authenticate through a provider that should not be available.

How to fix Authentication Bypass by Primary Weakness?

Upgrade org.keycloak:keycloak-server-spi-private to version 26.2.14, 26.4.10, 26.5.5 or higher.

[,26.2.14)[26.3.0,26.4.10)[26.5.0,26.5.5)

Authorization Bypass Through User-Controlled Key

org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the IdentityBrokerService.performLogin endpoint. An attacker can gain unauthorized access and bypass administrative restrictions by reusing a previously generated login request referencing a disabled external identity provider.

How to fix Authorization Bypass Through User-Controlled Key?

Upgrade org.keycloak:keycloak-server-spi-private to version 26.2.14, 26.4.10, 26.5.5 or higher.

[,26.2.14)[26.3.0,26.4.10)[26.5.0,26.5.5)

Access Control Bypass

org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Access Control Bypass due to the DefaultAttributes attribute filtering in the user profile management. An attacker with manage-users permission can make unauthorized modifications to user profile attributes even when the “Only administrators can view” policy is enabled by bypassing the edit restriction on unmanaged attributes.

How to fix Access Control Bypass?

Upgrade org.keycloak:keycloak-server-spi-private to version 26.5.2 or higher.

[,26.5.2)

Incorrect Privilege Assignment

org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Incorrect Privilege Assignment via the Admin API. An attacker can access sensitive user attributes by sending crafted requests with limited administrator privileges.

Note:

This is only exploitable if the attacker has a valid account on the realm, has view-users role and the target realm uses the User Profile feature with custom attributes set to restricted visibility.

How to fix Incorrect Privilege Assignment?

Upgrade org.keycloak:keycloak-server-spi-private to version 26.5.2 or higher.

[,26.5.2)

Access Control Bypass

org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Access Control Bypass via insufficient authorization checks on the /admin/realms/{realm}/roles endpoint. A remote authenticated attacker with high-privileges can access sensitive role metadata by sending crafted requests with elevated privileges.

How to fix Access Control Bypass?

Upgrade org.keycloak:keycloak-server-spi-private to version 26.5.0 or higher.

[0,26.5.0)

CRLF Injection

org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to CRLF Injection during the e-mail registration. An attacker can cause the system to send unsolicited emails limited to 64 characters by injecting special characters into the email input field.

How to fix CRLF Injection?

Upgrade org.keycloak:keycloak-server-spi-private to version 26.3.3 or higher.

[,26.3.3)

Origin Validation Error

org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Origin Validation Error via the review profile process. An attacker can gain unauthorized access to another user's account by initiating an account merge during an identity provider login and modifying their email address to match the victim's, which results in a verification email being sent to the victim. If the victim clicks the verification link, the attacker is able to access the victim's account.

Note:

This is only exploitable if IdP is configured in Keycloak and the attacker has access both to a registered Keycloak and identity provider account. Additionally, an attacker would need to know the email or Keycloak username of the victim. Finally, the victim would need to accept the verification link within the 5 minutes that the token is active.

How to fix Origin Validation Error?

Upgrade org.keycloak:keycloak-server-spi-private to version 26.3.0 or higher.

[,26.3.0)

Denial of Service (DoS)

org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Denial of Service (DoS) by modification of security headers and inserting newlines. An attacker can cause the server to process a terminated request, leading to service failure.

Note: This is only exploitable if the attacker can change realm settings.

How to fix Denial of Service (DoS)?

Upgrade org.keycloak:keycloak-server-spi-private to version 26.0.8 or higher.

[,26.0.8)

URL Redirection to Untrusted Site ('Open Redirect')

org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to URL Redirection to Untrusted Site ('Open Redirect') due to a misconfiguration flaw in the validation of redirect URIs. An attacker can redirect users to an arbitrary URL and potentially expose sensitive information such as authorization codes, leading to session hijacking.

Note: This is only exploitable if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1.

How to fix URL Redirection to Untrusted Site ('Open Redirect')?

Upgrade org.keycloak:keycloak-server-spi-private to version 22.0.13, 24.0.8, 25.0.6 or higher.

[,22.0.13)[23.0.0,24.0.8)[25.0.0,25.0.6)

Missing Critical Step in Authentication

org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Missing Critical Step in Authentication in the form of not sufficiently enforcing the second factor in multifactor authentication. A user can register a second factor for a known account, allowing step-up authentication.

How to fix Missing Critical Step in Authentication?

Upgrade org.keycloak:keycloak-server-spi-private to version 22.0.10, 24.0.3 or higher.

[,22.0.10)[23.0.0,24.0.3)

Authentication Bypass by Spoofing

org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Authentication Bypass by Spoofing within the Keycloak Device Authorisation Grant due to improper verification of the device code holder. Exploiting this vulnerability is possible under certain pre-conditions and it allows an attacker to spoof parts of the device flow and use a device_code to retrieve an access token for other OAuth clients.

How to fix Authentication Bypass by Spoofing?

Upgrade org.keycloak:keycloak-server-spi-private to version 21.1.2 or higher.

[,21.1.2)

Information Exposure

org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Information Exposure. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later.

How to fix Information Exposure?

Upgrade org.keycloak:keycloak-server-spi-private to version 13.0.0 or higher.

[,13.0.0)

Cross-site Scripting (XSS)

org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). Keycloak's data filter would allow some data URLs to be navigated in some circumstances. An attacker could use this flaw to conduct cross-site scripting attacks. This vulnerability is related to an incomplete fix of CVE-2020-1697.

How to fix Cross-site Scripting (XSS)?

Upgrade org.keycloak:keycloak-server-spi-private to version 11.0.3 or higher.

[,11.0.3)

Cross-site Scripting (XSS)

org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). Links to external applications (Application Links) in the admin console are not validated properly.

How to fix Cross-site Scripting (XSS)?

Upgrade org.keycloak:keycloak-server-spi-private to version 9.0.0 or higher.

[,9.0.0)

Man-in-the-Middle (MitM)

org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). The X.509 authenticator supports the verification of client certificates through the CRL, where the CRL list can be obtained from the URL provided in the certificate itself (CDP) or through the separately configured path. The CRL are often available over the network through unsecured protocols (http or ldap) and hence the caller should verify the signature and possibly the certification path. Keycloak currently doesn't validate signatures on CRL, which can result in a possibility of various attacks like man-in-the-middle.

How to fix Man-in-the-Middle (MitM)?

Upgrade org.keycloak:keycloak-server-spi-private to version 6.0.0 or higher.

[,6.0.0)

org.keycloak:keycloak-server-spi-private@4.8.2.Final

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically