Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
- Snyk ID SNYK-JS-KEYCLOAKCONNECT-5462007
- published 2 Mar 2023
- disclosed 1 Mar 2023
- credit Aytaç Kalıncı, Ilker Bulgurcu, Yasin Yılmaz
How to fix?
keycloak-connect to version 21.0.1 or higher.
keycloak-connect is a Identity and Access Management solution for modern Applications and Services.
Affected versions of this package are vulnerable to Open Redirect.
checkSSO function uses the query param 'prompt=none' when forwarding the request to KeyCloak. This may allow authenticating the user without interaction as long as the user is already authenticated with KeyCloak.
Note: This package is deprecated and will be removed in the future.