org.keycloak:keycloak-services 26.0.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.keycloak:keycloak-services package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M External Control of File Name or Path org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to External Control of File Name or Path due to the vault secret lookup not accounting for the Windows file separator `\` on Windows systems. An attacker can access information about the existence of files outside the intended context by submitting specially crafted requests. Note: This issue stems from incomplete fix for CVE-2024-10492. How to fix External Control of File Name or Path? There is no fixed version for `org.keycloak:keycloak-services`.	[0,)
M Exposure of Sensitive System Information to an Unauthorized Control Sphere org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere via the `/admin/serverinfo` endpoint, which exposes internal server details, when an authenticated user logs into the system or accesses the admin console. Note: Direct access to this endpoint returns a 401 Unauthorized error. How to fix Exposure of Sensitive System Information to an Unauthorized Control Sphere? There is no fixed version for `org.keycloak:keycloak-services`.	[0,)
L Improper Privilege Management org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Privilege Management via improper privilege enforcement in the Fine-Grained Admin Permissions process. An attacker can gain unauthorized administrative access by leveraging a user account with the `manage-users` role to escalate privileges to realm-admin. This is because policies and permissions share the same table internally. Note: It is recommended to use a unique name for the permission; The name must not conflict with any policy name. How to fix Improper Privilege Management? There is no fixed version for `org.keycloak:keycloak-services`.	[0,)
M Origin Validation Error org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Origin Validation Error via the `review profile` process. An attacker can gain unauthorized access to another user's account by initiating an account merge during an identity provider login and modifying their email address to match the victim's, which results in a verification email being sent to the victim. If the victim clicks the verification link, the attacker is able to access the victim's account. Note: This is only exploitable if IdP is configured in Keycloak and the attacker has access both to a registered Keycloak and identity provider account. Additionally, an attacker would need to know the email or Keycloak username of the victim. Finally, the victim would need to accept the verification link within the 5 minutes that the token is active. How to fix Origin Validation Error? Upgrade `org.keycloak:keycloak-services` to version 26.3.0 or higher.	[,26.3.0)
H Improper Validation of Certificate with Host Mismatch org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Validation of Certificate with Host Mismatch when setting the verification policy to 'ALL'. This is supposed to skip hostname check but an unintended side effect is skipping trust store certificate verification. An attacker can read sensitive data from the system and perform spoofing or redirection attacks by exploiting this vulnerability. Note: The `ANY` mode should not be used in production. How to fix Improper Validation of Certificate with Host Mismatch? Upgrade `org.keycloak:keycloak-services` to version 26.2.2 or higher.	[,26.2.2)
M Improper Authentication org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Authentication. An attacker can circumvent required actions configured by an administrator such as setting up 2FA by using AIA (Application-initiated actions). If a user account has been required by an administrator to perform a required action, the same user can pass in a URL parameter during the sign in process to exploit this vulnerability. How to fix Improper Authentication? Upgrade `org.keycloak:keycloak-services` to version 26.2.2 or higher.	[,26.2.2)
M Allocation of Resources Without Limits or Throttling org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when caching JWT tokens, which are not limited in their expiration time. An attacker can cause the consumption of excessive memory by sending malicious JWT tokens. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `org.keycloak:keycloak-services` to version 26.0.11, 26.1.5 or higher.	[23.0.0,26.0.11)[26.1.0,26.1.5)
M Incorrect User Management org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Incorrect User Management in `oidc/OrganizationMembershipMapper.java`, which relies on matching the domain of a user's email address to map them to an organization. A user can make an unauthorized token claim including association with an organization that they are not actually mapped to. If self-registration is enabled and unrestricted, this is easier to exploit. How to fix Incorrect User Management? Upgrade `org.keycloak:keycloak-services` to version 26.1.3 or higher.	[,26.1.3)
M Exposure of Sensitive Information Through Environmental Variables org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Exposure of Sensitive Information Through Environmental Variables through user-configurable URLs. Exploiting this vulnerability is possible with the configuration of backchannel logout URLs or admin URLs, when including placeholders like `${env.VARNAME}` or `${PROPNAME}`, which are replaced with actual values during URL processing. An attacker can access sensitive server environment variables and system properties. How to fix Exposure of Sensitive Information Through Environmental Variables? Upgrade `org.keycloak:keycloak-services` to version 26.0.8 or higher.	[,26.0.8)
M Denial of Service (DoS) org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Denial of Service (DoS) by modification of security headers and inserting newlines. An attacker can cause the server to process a terminated request, leading to service failure. Note: This is only exploitable if the attacker can change realm settings. How to fix Denial of Service (DoS)? Upgrade `org.keycloak:keycloak-services` to version 26.0.8 or higher.	[,26.0.8)
M External Control of File Name or Path org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to External Control of File Name or Path. An attacker could read sensitive information from a Vault file that is not within the expected context by exploiting this vulnerability. Note: This is only exploitable if the attacker has previous high access to the Keycloak server in order to perform resource creation. How to fix External Control of File Name or Path? Upgrade `org.keycloak:keycloak-services` to version 26.0.6 or higher.	[,26.0.6)
H Regular Expression Denial of Service (ReDoS) org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the `SearchQueryUtils` method due to improper input sanitization. An attacker could exhaust system resources and achieve denial of service by exploiting this vulnerability. How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `org.keycloak:keycloak-services` to version 26.0.6 or higher.	[,26.0.6)
M HTTP Request Smuggling org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to HTTP Request Smuggling due to improper handling of proxy headers resulting in costly DNS resolution operations. An attacker could tie up IO threads and potentially cause a denial of service by exploiting these operations. Notes: This is only exploitable if the attacker has access to send requests to a Keycloak instance that is configured to accept proxy headers, specifically when reverse proxies do not overwrite incoming headers, and Keycloak is configured to trust these headers. For versions 26.x, this is only exploitable if the realm must have `SslRequired=EXTERNAL` (the default), HTTP must be enabled, the instance must not be using a full hostname URL, access must come from behind a proxy (assuming the proxy overwrites the `X-Forwarded-For` header), and trusted proxies must not be set or must incorrectly trust the client from which the request is originating. How to fix HTTP Request Smuggling? Upgrade `org.keycloak:keycloak-services` to version 26.0.6 or higher.	[,26.0.6)

Vulnerability

Vulnerable Version

External Control of File Name or Path

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to External Control of File Name or Path due to the vault secret lookup not accounting for the Windows file separator \ on Windows systems. An attacker can access information about the existence of files outside the intended context by submitting specially crafted requests.

Note:

This issue stems from incomplete fix for CVE-2024-10492.

How to fix External Control of File Name or Path?

There is no fixed version for org.keycloak:keycloak-services.

[0,)

Exposure of Sensitive System Information to an Unauthorized Control Sphere

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere via the /admin/serverinfo endpoint, which exposes internal server details, when an authenticated user logs into the system or accesses the admin console.

Note: Direct access to this endpoint returns a 401 Unauthorized error.

How to fix Exposure of Sensitive System Information to an Unauthorized Control Sphere?

There is no fixed version for org.keycloak:keycloak-services.

[0,)

Improper Privilege Management

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Privilege Management via improper privilege enforcement in the Fine-Grained Admin Permissions process. An attacker can gain unauthorized administrative access by leveraging a user account with the manage-users role to escalate privileges to realm-admin. This is because policies and permissions share the same table internally.

Note: It is recommended to use a unique name for the permission; The name must not conflict with any policy name.

How to fix Improper Privilege Management?

There is no fixed version for org.keycloak:keycloak-services.

[0,)

Origin Validation Error

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Origin Validation Error via the review profile process. An attacker can gain unauthorized access to another user's account by initiating an account merge during an identity provider login and modifying their email address to match the victim's, which results in a verification email being sent to the victim. If the victim clicks the verification link, the attacker is able to access the victim's account.

Note:

This is only exploitable if IdP is configured in Keycloak and the attacker has access both to a registered Keycloak and identity provider account. Additionally, an attacker would need to know the email or Keycloak username of the victim. Finally, the victim would need to accept the verification link within the 5 minutes that the token is active.

How to fix Origin Validation Error?

Upgrade org.keycloak:keycloak-services to version 26.3.0 or higher.

[,26.3.0)

Improper Validation of Certificate with Host Mismatch

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Validation of Certificate with Host Mismatch when setting the verification policy to 'ALL'. This is supposed to skip hostname check but an unintended side effect is skipping trust store certificate verification. An attacker can read sensitive data from the system and perform spoofing or redirection attacks by exploiting this vulnerability.

Note:

The ANY mode should not be used in production.

How to fix Improper Validation of Certificate with Host Mismatch?

Upgrade org.keycloak:keycloak-services to version 26.2.2 or higher.

[,26.2.2)

Improper Authentication

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Authentication. An attacker can circumvent required actions configured by an administrator such as setting up 2FA by using AIA (Application-initiated actions). If a user account has been required by an administrator to perform a required action, the same user can pass in a URL parameter during the sign in process to exploit this vulnerability.

How to fix Improper Authentication?

Upgrade org.keycloak:keycloak-services to version 26.2.2 or higher.

[,26.2.2)

Allocation of Resources Without Limits or Throttling

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when caching JWT tokens, which are not limited in their expiration time. An attacker can cause the consumption of excessive memory by sending malicious JWT tokens.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade org.keycloak:keycloak-services to version 26.0.11, 26.1.5 or higher.

[23.0.0,26.0.11)[26.1.0,26.1.5)

Incorrect User Management

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Incorrect User Management in oidc/OrganizationMembershipMapper.java, which relies on matching the domain of a user's email address to map them to an organization. A user can make an unauthorized token claim including association with an organization that they are not actually mapped to. If self-registration is enabled and unrestricted, this is easier to exploit.

How to fix Incorrect User Management?

Upgrade org.keycloak:keycloak-services to version 26.1.3 or higher.

[,26.1.3)

Exposure of Sensitive Information Through Environmental Variables

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Exposure of Sensitive Information Through Environmental Variables through user-configurable URLs.

Exploiting this vulnerability is possible with the configuration of backchannel logout URLs or admin URLs, when including placeholders like ${env.VARNAME} or ${PROPNAME}, which are replaced with actual values during URL processing. An attacker can access sensitive server environment variables and system properties.

How to fix Exposure of Sensitive Information Through Environmental Variables?

Upgrade org.keycloak:keycloak-services to version 26.0.8 or higher.

[,26.0.8)

Denial of Service (DoS)

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Denial of Service (DoS) by modification of security headers and inserting newlines. An attacker can cause the server to process a terminated request, leading to service failure.

Note: This is only exploitable if the attacker can change realm settings.

How to fix Denial of Service (DoS)?

Upgrade org.keycloak:keycloak-services to version 26.0.8 or higher.

[,26.0.8)

External Control of File Name or Path

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to External Control of File Name or Path. An attacker could read sensitive information from a Vault file that is not within the expected context by exploiting this vulnerability.

Note:

This is only exploitable if the attacker has previous high access to the Keycloak server in order to perform resource creation.

How to fix External Control of File Name or Path?

Upgrade org.keycloak:keycloak-services to version 26.0.6 or higher.

[,26.0.6)

Regular Expression Denial of Service (ReDoS)

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the SearchQueryUtils method due to improper input sanitization. An attacker could exhaust system resources and achieve denial of service by exploiting this vulnerability.

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade org.keycloak:keycloak-services to version 26.0.6 or higher.

[,26.0.6)

HTTP Request Smuggling

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to HTTP Request Smuggling due to improper handling of proxy headers resulting in costly DNS resolution operations. An attacker could tie up IO threads and potentially cause a denial of service by exploiting these operations.

Notes:

This is only exploitable if the attacker has access to send requests to a Keycloak instance that is configured to accept proxy headers, specifically when reverse proxies do not overwrite incoming headers, and Keycloak is configured to trust these headers.
For versions 26.x, this is only exploitable if the realm must have SslRequired=EXTERNAL (the default), HTTP must be enabled, the instance must not be using a full hostname URL, access must come from behind a proxy (assuming the proxy overwrites the X-Forwarded-For header), and trusted proxies must not be set or must incorrectly trust the client from which the request is originating.

How to fix HTTP Request Smuggling?

Upgrade org.keycloak:keycloak-services to version 26.0.6 or higher.

[,26.0.6)

org.keycloak:keycloak-services@26.0.0 vulnerabilities

latest version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

How to fix?