org.keycloak:keycloak-services@19.0.0

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Information Exposure in the identity-first login flow when Organizations are enabled. An attacker can obtain information about the existence of users by analyzing differential error messages.

There is no fixed version for org.keycloak:keycloak-services.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Access Control Bypass due to incomplete enforcement of access control checks on PUT operations to the resource_set endpoint. An attacker can modify protected resources without proper authorization by sending crafted requests to this endpoint when the allowRemoteResourceManagement setting is set to false.

There is no fixed version for org.keycloak:keycloak-services.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) when processing client configuration requests. An attacker can make unintended requests to internal or restricted resources by sending a malicious sector_identifier_uri that accesses addresses such as a cloud metadata services at 169.254.169.254.

There is no fixed version for org.keycloak:keycloak-services.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Validation of Specified Type of Input via improper validation of encrypted SAML assertions. An attacker can gain unauthorized access by submitting specially crafted SAML assertions.

Upgrade org.keycloak:keycloak-services to version 26.2.14, 26.4.10, 26.5.5 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Authentication Bypass by Primary Weakness via the SAML Identity Provider authentication process when it is disabled. An attacker can gain unauthorized access by exploiting the ability to authenticate through a provider that should not be available.

Upgrade org.keycloak:keycloak-services to version 26.2.14, 26.4.10, 26.5.5 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the IdentityBrokerService.performLogin endpoint. An attacker can gain unauthorized access and bypass administrative restrictions by reusing a previously generated login request referencing a disabled external identity provider.

Upgrade org.keycloak:keycloak-services to version 26.2.14, 26.4.10, 26.5.5 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Authentication Bypass by Primary Weakness when a disabled SAML client is configured as an Identity Provider (IdP)-initiated broker landing target. An attacker can gain unauthorized access to other enabled clients via a Single Sign-On (SSO) session.

Upgrade org.keycloak:keycloak-services to version 26.2.14, 26.4.10, 26.5.5 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Missing Critical Step in Authentication due to insufficient validation of the authentication Level of Assurance in the Account REST API. An attacker can gain control over a victim's account by deleting the victim's registered MFA device and registering their own, provided they have obtained the victim's primary credentials.

There is no fixed version for org.keycloak:keycloak-services.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Handling of Insufficient Permissions or Privileges via improper enforcement of roles in the UMA 2.0 Protection API which fails to enforce the uma_protection role check. An attacker can access sensitive information by leveraging insufficient permission checks.

There is no fixed version for org.keycloak:keycloak-services.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Incorrect Privilege Assignment via the manage-clients permission assignment. An attacker can gain unauthorized access to higher-privileged operations by exploiting insufficient enforcement of access controls.

Upgrade org.keycloak:keycloak-services to version 26.5.6 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Authorization in the /protocol/docker-v2/auth endpoint, which does not ensure that the client is in “Enabled” status before granting an access token. This allows a user in possession of valid credentials and the client ID of a disabled client to bypass administrative restrictions.

Upgrade org.keycloak:keycloak-services to version 26.5.4 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data (Data Amplification) via the SAMLRequest DEFLATE decompression. An attacker can cause service disruption by sending a highly compressed requests that trigger excessive resource consumption during decompression.

Upgrade org.keycloak:keycloak-services to version 26.5.4 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the Admin API when the Organizations feature is enabled. An authenticated attacker can enumerate the organization memberships of any other user if their unique identifier (UUID) is known.

Note:

This is only exploitable if the Organizations feature is enabled (which is the default in recent versions), the attacker possesses a valid access token for the realm and the attacker knows the UUID of the victim user.

Upgrade org.keycloak:keycloak-services to version 26.5.6 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the invitation tokens in the registration process. An attacker can gain unauthorized access to organizations by modifying the organization ID and target email within a legitimate invitation token's JWT payload.

Upgrade org.keycloak:keycloak-services to version 26.5.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improperly Implemented Security Check for Standard due to improper verification if an Identity Provider (IdP) is enabled before issuing tokens. An attacker can gain unauthorized access by issuing valid access tokens using a disabled Identity Provider's signing key.

Upgrade org.keycloak:keycloak-services to version 26.5.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Incorrect Privilege Assignment due to insufficient ownership verification in the UserManagedPermissionService (UMA Protection API). An attacker can gain unauthorized access to modify or delete authorization rules for resources they do not own by updating or deleting a policy associated with multiple resources, where the authorization check only validates ownership of the first resource in the list.

Upgrade org.keycloak:keycloak-services to version 26.5.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via insufficient validation of the backchannel_client_notification_endpoint, which is configured during client registration or administration. A privileged user can make unauthorized requests to internal services, but cannot access the responses.

There is no fixed version for org.keycloak:keycloak-services.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Enforcement of Behavioral Workflow via the Token Exchange implementation. An attacker can obtain access and refresh tokens for users who have been disabled by invoking the token exchange flow with a privileged client, potentially resulting in unauthorized access to previously revoked privileges.

Upgrade org.keycloak:keycloak-services to version 26.5.2 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition via the validateTokenReuse method in the TokenManager class. An attacker can obtain multiple access tokens from a single refresh token by making concurrent refresh requests.

A fix was pushed into the master branch but not yet published.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Missing XML Validation of the NotOnOrAfter timestamp in SubjectConfirmationData when SAML is configured to act as a client (SAML brokering). An attacker can extend the validity of SAML responses by manipulating the timestamp, potentially resulting in prolonged session durations or increased resource usage.

Upgrade org.keycloak:keycloak-services to version 26.5.4 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Incorrect Behavior Order: Authorization Before Parsing and Canonicalization due to the Authorization header parser accepting non-standard characters as separators and tolerating case variations that do not comply with RFC 6750 specifications. An attacker can bypass intended access restrictions by crafting specially formatted authentication headers.

Upgrade org.keycloak:keycloak-services to version 26.5.4 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Authentication Bypass by Alternate Name via the ResourceSetService and PermissionTicketService modules due to improper verification of resourceServer ID. An attacker can access and modify resources belonging to other clients by supplying a valid resourceId in the admin API endpoints, bypassing proper authorization checks.

Upgrade org.keycloak:keycloak-services to version 26.5.6 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Access Control Bypass via the /admin/realms/master/users/profile endpoint. An attacker can access internal user profile schema data by leveraging 'create-client' permissions.

Upgrade org.keycloak:keycloak-services to version 26.5.0 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Missing Critical Step in Authentication in the WebAuthn Attestation Statement verification. An attacker can influence policy enforcement by manipulating the registration flow or using a rogue authenticator under user control.

Upgrade org.keycloak:keycloak-services to version 26.5.1 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to CRLF Injection during the e-mail registration. An attacker can cause the system to send unsolicited emails limited to 64 characters by injecting special characters into the email input field.

Upgrade org.keycloak:keycloak-services to version 26.3.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Session Fixation in the backchannel logout when browser cookies are missing. An attacker using the same browser on the same device can gain unauthorized access to another user's session by reusing authentication session identifiers when browser cookies are missing and session cleanup is not properly performed.

Upgrade org.keycloak:keycloak-services to version 26.0.0 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Insufficient Session Expiration due to the offline session of a user not being invalidated when the offline_access scope is removed. An attacker can maintain access to refresh tokens and continue to request new tokens by leveraging a session that should have been invalidated after scope removal.

Upgrade org.keycloak:keycloak-services to version 26.3.0 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Insufficient Session Expiration in the "Remember Me" realm setting. An attacker with a long-lived "Remember Me" session (e.g., stole the identity cookie) can maintain access for the full original remember-me lifetime to gain unauthorized access to sensitive information or perform actions as another user.

Upgrade org.keycloak:keycloak-services to version 26.4.2 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere via the /admin/serverinfo endpoint, which exposes internal server details, when an authenticated user logs into the system or accesses the admin console.

Note: Direct access to this endpoint returns a 401 Unauthorized error.

Upgrade org.keycloak:keycloak-services to version 26.4.0 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Privilege Management via improper privilege enforcement in the Fine-Grained Admin Permissions process. An attacker can gain unauthorized administrative access by leveraging a user account with the manage-users role to escalate privileges to realm-admin. This is because policies and permissions share the same table internally.

Note: It is recommended to use a unique name for the permission; The name must not conflict with any policy name.

Upgrade org.keycloak:keycloak-services to version 26.3.0 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Origin Validation Error via the review profile process. An attacker can gain unauthorized access to another user's account by initiating an account merge during an identity provider login and modifying their email address to match the victim's, which results in a verification email being sent to the victim. If the victim clicks the verification link, the attacker is able to access the victim's account.

Note:

This is only exploitable if IdP is configured in Keycloak and the attacker has access both to a registered Keycloak and identity provider account. Additionally, an attacker would need to know the email or Keycloak username of the victim. Finally, the victim would need to accept the verification link within the 5 minutes that the token is active.

Upgrade org.keycloak:keycloak-services to version 26.3.0 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Validation of Certificate with Host Mismatch when setting the verification policy to 'ALL'. This is supposed to skip hostname check but an unintended side effect is skipping trust store certificate verification. An attacker can read sensitive data from the system and perform spoofing or redirection attacks by exploiting this vulnerability.

Note:

The ANY mode should not be used in production.

Upgrade org.keycloak:keycloak-services to version 26.2.2 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Authentication. An attacker can circumvent required actions configured by an administrator such as setting up 2FA by using AIA (Application-initiated actions). If a user account has been required by an administrator to perform a required action, the same user can pass in a URL parameter during the sign in process to exploit this vulnerability.

Upgrade org.keycloak:keycloak-services to version 26.2.2 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Incorrect User Management in oidc/OrganizationMembershipMapper.java, which relies on matching the domain of a user's email address to map them to an organization. A user can make an unauthorized token claim including association with an organization that they are not actually mapped to. If self-registration is enabled and unrestricted, this is easier to exploit.

Upgrade org.keycloak:keycloak-services to version 26.1.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Exposure of Sensitive Information Through Environmental Variables through user-configurable URLs.

Exploiting this vulnerability is possible with the configuration of backchannel logout URLs or admin URLs, when including placeholders like ${env.VARNAME} or ${PROPNAME}, which are replaced with actual values during URL processing. An attacker can access sensitive server environment variables and system properties.

Upgrade org.keycloak:keycloak-services to version 26.0.8 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Denial of Service (DoS) by modification of security headers and inserting newlines. An attacker can cause the server to process a terminated request, leading to service failure.

Note: This is only exploitable if the attacker can change realm settings.

Upgrade org.keycloak:keycloak-services to version 26.0.8 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to External Control of File Name or Path. An attacker could read sensitive information from a Vault file that is not within the expected context by exploiting this vulnerability.

Note:

This is only exploitable if the attacker has previous high access to the Keycloak server in order to perform resource creation.

Upgrade org.keycloak:keycloak-services to version 26.0.6 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the SearchQueryUtils method due to improper input sanitization. An attacker could exhaust system resources and achieve denial of service by exploiting this vulnerability.

Upgrade org.keycloak:keycloak-services to version 26.0.6 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to HTTP Request Smuggling due to improper handling of proxy headers resulting in costly DNS resolution operations. An attacker could tie up IO threads and potentially cause a denial of service by exploiting these operations.

Notes:

1. This is only exploitable if the attacker has access to send requests to a Keycloak instance that is configured to accept proxy headers, specifically when reverse proxies do not overwrite incoming headers, and Keycloak is configured to trust these headers.

2. For versions 26.x, this is only exploitable if the realm must have SslRequired=EXTERNAL (the default), HTTP must be enabled, the instance must not be using a full hostname URL, access must come from behind a proxy (assuming the proxy overwrites the X-Forwarded-For header), and trusted proxies must not be set or must incorrectly trust the client from which the request is originating.

Upgrade org.keycloak:keycloak-services to version 26.0.6 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Open Redirect due to a misconfiguration flaw in the validation of redirect URIs. An attacker can redirect users to an arbitrary URL and potentially expose sensitive information such as authorization codes, leading to session hijacking. Exploiting this vulnerability is possible if a Valid Redirect URI is set to http://localhost/ or http://127.0.0.1/.

Upgrade org.keycloak:keycloak-services to version 22.0.13, 24.0.8, 25.0.6 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to URL Redirection to Untrusted Site ('Open Redirect') due to a misconfiguration flaw in the validation of redirect URIs. An attacker can redirect users to an arbitrary URL and potentially expose sensitive information such as authorization codes, leading to session hijacking.

Note: This is only exploitable if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1.

Upgrade org.keycloak:keycloak-services to version 22.0.13, 24.0.8, 25.0.6 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Open Redirect via the referrer and referrer_uri parameters. This allows an attacker who can convince an admin user to follow a malicious link - which may be further obfuscated by means such as URL encoding - to be redirected to a malicious location.

Upgrade org.keycloak:keycloak-services to version 25.0.0 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Enforcement of a Single, Unique Action allowing an attacker to bypass brute force protection mechanisms by initiating multiple login requests simultaneously, thus exceeding the configured limits for failed attempts, before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.

Note: This is only exploitable if Keycloak is configured with Brute Force Protection.

Upgrade org.keycloak:keycloak-services to version 24.0.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Authentication due to improper handling of session management during the re-authentication process. An attacker can hijack an active session by exploiting the flawed re-authentication mechanism.

Upgrade org.keycloak:keycloak-services to version 22.0.10, 24.0.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Overly Restrictive Account Lockout Mechanism due to a flaw in the account lockout mechanism. This issue may allow a remote unauthenticated attacker to prevent legitimate users from accessing their accounts by exploiting the account lockout functionality.

Note:

This is only exploitable if the realm is configured to use "User (Self) registration", the user registers with a username in email format, and the attacker discovers a valid email address for an account.

Upgrade org.keycloak:keycloak-services to version 24.0.0 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation where an attacker is able to register himself with the username same as the email ID of any existing user. This may cause trouble in getting password recovery email in case the user forgets the password.

Upgrade org.keycloak:keycloak-services to version 24.0.0 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Privilege Management via the admin REST API endpoints. An attacker with low privileges can perform actions reserved for administrators, potentially leading to data breaches or system compromise by exploiting administrative functionalities without proper authorization.

Upgrade org.keycloak:keycloak-services to version 24.0.5 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Insecure Storage of Sensitive Information through PAR (Pushed authorization request) clients when using client_secret_post based authentication. This vulnerability derived from client-provided parameters that were included in plain text within the KC_RESTART cookie, which the authorization server returned in its HTTP response to a request_uri authorization request.

To exploit this vulnerability, an attacker needs to intercept the HTTP response from the authorization server, which might result in the disclosure of sensitive information.

Note

If you use OIDC confidential clients together with PAR and use client authentication based on client_id and client_secret sent as parameters in the HTTP request body (method client_secret_post specified in the OIDC specification), it is highly encouraged to rotate your clients' client secrets after upgrading to this version.

Upgrade org.keycloak:keycloak-services to version 24.0.5 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Cleartext Storage of Sensitive Information in a Cookie in the OAuth 2.0 Pushed Authorization Requests (PAR) through the KC_RESTART cookie. An attacker can access sensitive client-provided parameters by intercepting HTTP responses from the authorization server.

Upgrade org.keycloak:keycloak-services to version 24.0.5 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Input Validation due to improper handling of error messages during the WebAuthn authentication or registration process. An attacker can inject malicious content into the logs by sending crafted error messages from the browser client during setup or authentication.

Upgrade org.keycloak:keycloak-services to version 23.0.5 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Origin Validation Error due to the checkLoginIframe process. An attacker can significantly impact the application's availability by sending millions of requests in seconds using simple code.

Upgrade org.keycloak:keycloak-services to version 24.0.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Authentication Bypass due to improper enforcement of token types when validating signatures locally. An authenticated attacker could exchange a logout token for an access token and possibly gain access to data outside of enforced permissions.

Upgrade org.keycloak:keycloak-services to version 24.0.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Open Redirect due to an issue in the redirect_uri validation logic. By exploiting this vulnerability an attacker is allowed to bypass otherwise explicitly allowed hosts.

Upgrade org.keycloak:keycloak-services to version 24.0.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to including JavaScript URIs in the SAML Assertion Consumer Service POST Binding URL (ACS). An attacker can execute arbitrary scripts in the context of the embedding origin on form submission.

Upgrade org.keycloak:keycloak-services to version 24.0.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key due to a permissive regular expression hardcoded for filtering allowed hosts to register a dynamic client. A unauthorized user with enough information about the environment could benefit and jeopardize an environment with this specific Dynamic Client Registration with TrustedDomain configuration.

Upgrade org.keycloak:keycloak-services to version 24.0.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Missing Critical Step in Authentication in the form of not sufficiently enforcing the second factor in multifactor authentication. A user can register a second factor for a known account, allowing step-up authentication.

Upgrade org.keycloak:keycloak-services to version 22.0.10, 24.0.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Information Exposure due to not properly checking client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information.

Upgrade org.keycloak:keycloak-services to version 20.0.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Authorization such that the verified state is not reset when the email changes. It is possible for users to shadow others with the same email and lockout or impersonate them.

Upgrade org.keycloak:keycloak-services to version 22.0.1 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Open Redirect due to improper validation of redirect URIs using the form_post.jwt response mode. An attacker can redirect a user to a malicious site and potentially steal authorization codes or tokens by exploiting the use of a wildcard in the JARM response.

Upgrade org.keycloak:keycloak-services to version 23.0.4 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) via the OIDC redirect_uri function. An attacker can submit a specially crafted request leading to cross-site scripting or further attacks by appending a wildcard to the token.

Upgrade org.keycloak:keycloak-services to version 22.0.7 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to LDAP Injection through the UsernameForm login process due to improper escape of LDAP ID. An attacker can access existing usernames in the server by exploiting an LDAP query.

Upgrade org.keycloak:keycloak-services to version 23.0.1 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Credential Exposure. When a user registers with the registration flow, the password and password-confirm fields from the form are treated as regular attributes. All users and clients with proper rights/roles are able to retrieve the user's passwords in cleartext.

Upgrade org.keycloak:keycloak-services to version 22.0.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Certificate Validation for OAuth/OpenID clients. When a Keycloak server is configured to support mTLS authentication for OAuth/OpenID clients, it does not properly verify the client certificate chain. A client with a proper certificate can authorize itself as any other client and, therefore, access data belonging to other clients.

Upgrade org.keycloak:keycloak-services to version 21.1.2 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper sanitization of URI-schemes on SAML and OIDC via the AssertionConsumerServiceURL implementation. Exploiting this vulnerability is possible by sending a crafted SAML XML request.

Upgrade org.keycloak:keycloak-services to version 21.1.2 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Authentication Bypass by Spoofing within the Keycloak Device Authorisation Grant due to improper verification of the device code holder. Exploiting this vulnerability is possible under certain pre-conditions and it allows an attacker to spoof parts of the device flow and use a device_code to retrieve an access token for other OAuth clients.

Upgrade org.keycloak:keycloak-services to version 21.1.2 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity such that Keycloak's OpenID Connect user authentication was found to incorrectly authenticate requests. An authenticated attacker who could also obtain a certain piece of info from a user request, from a victim within the same realm, can use that data to impersonate the victim and generate new session tokens.

Upgrade org.keycloak:keycloak-services to version 21.0.1 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper user-input sanitization in the oob OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker.

Upgrade org.keycloak:keycloak-services to version 21.0.0 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the execute-actions-email endpoint in the admin REST API. Users can inject HTML into emails sent to other users.

Upgrade org.keycloak:keycloak-services to version 20.0.4 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) which allows an admin user impersonating another user to inject code into a submitted HTML entity.

Upgrade org.keycloak:keycloak-services to version 20.0.5 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Directory Traversal due to not properly validating URLs included in a redirect. An attacker could construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain, or possibly conduct further attacks.

Upgrade org.keycloak:keycloak-services to version 20.0.2 or higher.