keycloak

Link	package \| bugs open \| bugs closed \| Wiki \| GitHub \| web search
Description	Open Source Identity and Access Management For Modern Applications and Services
Version	12.0.2-1 [community]

Open

Group	Affected	Fixed	Severity	Status	Ticket
AVG-1332	12.0.2-1		Medium	Vulnerable

Issue	Group	Severity	Remote	Type	Description
CVE-2020-35509	AVG-1332	Medium	Yes	Certificate verification bypass	Depending on the webserver configuration, a malicious user can supply an expired certificate and it would be accepted by Keycloak direct- grant...
CVE-2020-27838	AVG-1332	Medium	Yes	Information disclosure	Client registration endpoints should not allow fetching information about public clients without authentication.
CVE-2020-14359	AVG-1332	Medium	Yes	Insufficient validation	A vulnerability was found in keycloak, where on using lower case HTTP headers (via cURL) a Gatekeeper can be bypassed. Lower case headers are also accepted...
CVE-2020-14302	AVG-1332	Medium	Yes	Insufficient validation	A flaw was found in Keycloak before 13.0.0 where an external identity provider, after successful authentication, redirects to a Keycloak endpoint that...
CVE-2020-10770	AVG-1332	Medium	Yes	Cross-site request forgery	A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri....
CVE-2020-1725	AVG-1332	Medium	Yes	Authentication bypass	A security issue was found in keycloak. In some scenarios a user still has access to a resource after changing the role mappings in Keycloak and after...
CVE-2020-1723	AVG-1332	Low	Yes	Open redirect	A security issue was found in keycloak. The logout endpoint /oauth/logout?redirect=url can be abused to redirect logged in users to arbitrary web pages....

Resolved

Group	Affected	Fixed	Severity	Status	Ticket
AVG-1471	11.0.3-1	12.0.0-1	Medium	Fixed
AVG-1373	11.0.3-1	12.0.0-1	Medium	Fixed
AVG-1158	10.0.0-1	10.0.1-1	High	Fixed	FS#66642

Issue	Group	Severity	Remote	Type	Description
CVE-2020-27826	AVG-1373	Medium	Yes	Privilege escalation	A flaw was found in keycloak versions prior to 12.0.0 where it is possible to update the user's meta-data attributes using Account REST API. It is now...
CVE-2020-14366	AVG-1471	Medium	Yes	Directory traversal	A vulnerability was found in keycloak, where path traversal using URL- encoded path segments in the request is possible because the resources endpoint...
CVE-2020-1714	AVG-1158	High	Yes	Arbitrary code execution	A flaw was found in Keycloak, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject...

Issue

Group

Severity

Remote

Type

Description

CVE-2020-27826

AVG-1373

Medium

Yes

Privilege escalation

A flaw was found in keycloak versions prior to 12.0.0 where it is possible to update the user's meta-data attributes using Account REST API. It is now...

CVE-2020-14366

AVG-1471

Medium

Yes

Directory traversal

A vulnerability was found in keycloak, where path traversal using URL- encoded path segments in the request is possible because the resources endpoint...

CVE-2020-1714

AVG-1158

High

Yes

Arbitrary code execution

A flaw was found in Keycloak, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject...

Advisories

Date	Advisory	Group	Severity	Description
16 May 2020	ASA-202005-8	AVG-1158	High	arbitrary code execution