|Link||package | bugs open | bugs closed | Wiki | GitHub | web search|
|Description||Open Source Identity and Access Management For Modern Applications and Services|
|CVE-2020-35509||AVG-1332||Medium||Yes||Certificate verification bypass||
Depending on the webserver configuration, a malicious user can supply an expired certificate and it would be accepted by Keycloak direct- grant...
Client registration endpoints should not allow fetching information about public clients without authentication.
A vulnerability was found in keycloak, where on using lower case HTTP headers (via cURL) a Gatekeeper can be bypassed. Lower case headers are also accepted...
A flaw was found in Keycloak before 13.0.0 where an external identity provider, after successful authentication, redirects to a Keycloak endpoint that...
|CVE-2020-10770||AVG-1332||Medium||Yes||Cross-site request forgery||
A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri....
A security issue was found in keycloak. In some scenarios a user still has access to a resource after changing the role mappings in Keycloak and after...
A security issue was found in keycloak. The logout endpoint /oauth/logout?redirect=url can be abused to redirect logged in users to arbitrary web pages....
A flaw was found in keycloak versions prior to 12.0.0 where it is possible to update the user's meta-data attributes using Account REST API. It is now...
A vulnerability was found in keycloak, where path traversal using URL- encoded path segments in the request is possible because the resources endpoint...
|CVE-2020-1714||AVG-1158||High||Yes||Arbitrary code execution||
A flaw was found in Keycloak, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject...
|16 May 2020||ASA-202005-8||AVG-1158||High||arbitrary code execution|