AVG-1332 log

Package keycloak
Status Fixed
Severity High
Type multiple issues
Affected 15.0.2-1
Fixed 16.0.0-1
Current 26.0.7-1 [extra]
Ticket None
Created Tue Dec 8 14:05:43 2020
Issue Severity Remote Type Description
CVE-2021-20262 Medium Yes Authentication bypass
A security issue was found in Keycloak where re-authentication does not occur while updating the password. This flaw allows an attacker to take over an...
CVE-2021-3827 High Yes Authentication bypass
A security issue was found in keycloak version 15 where because of the default ECP binding flow, any other authentication flow can be bypassed. By...
CVE-2021-3632 High Yes Authentication bypass
A security issue was found in keycloak where it possible for anyone to register a new security device/key when there is no device already registered for any...
CVE-2021-3424 Medium Yes Content spoofing
A security issue was found in keycloak where IDN homograph attacks are possible. A malicious user can register himself with a name already registered and...
CVE-2020-14359 Medium Yes Insufficient validation
A vulnerability was found in keycloak, where on using lower case HTTP headers (via cURL) a Gatekeeper can be bypassed. Lower case headers are also accepted...
CVE-2020-10734 Medium Yes Cross-site request forgery
A vulnerability was found in keycloak in the way that the OIDC logout endpoint does not have cross-site request forgery (CSRF) protection.
CVE-2020-1725 Medium Yes Authentication bypass
A security issue was found in keycloak. In some scenarios a user still has access to a resource after changing the role mappings in Keycloak and after...
CVE-2020-1723 Low Yes Open redirect
A security issue was found in keycloak. The logout endpoint /oauth/logout?redirect=url can be abused to redirect logged in users to arbitrary web pages....
CVE-2020-1717 Low Yes Information disclosure
A security issue was found in keycloak. An attacker could use the change email function in the account settings to determine if an email address was already...