keycloak
Link | package | bugs open | bugs closed | Wiki | GitHub | web search |
Description | Open Source Identity and Access Management For Modern Applications and Services |
Version | 12.0.2-1 [community] |
Open
Group | Affected | Fixed | Severity | Status | Ticket |
---|---|---|---|---|---|
AVG-1332 | 12.0.2-1 | Medium | Vulnerable |
Issue | Group | Severity | Remote | Type | Description |
---|---|---|---|---|---|
CVE-2020-35509 | AVG-1332 | Medium | Yes | Certificate verification bypass | Depending on the webserver configuration, a malicious user can supply an expired certificate and it would be accepted by Keycloak direct- grant... |
CVE-2020-27838 | AVG-1332 | Medium | Yes | Information disclosure | Client registration endpoints should not allow fetching information about public clients without authentication. |
CVE-2020-14359 | AVG-1332 | Medium | Yes | Insufficient validation | A vulnerability was found in keycloak, where on using lower case HTTP headers (via cURL) a Gatekeeper can be bypassed. Lower case headers are also accepted... |
CVE-2020-14302 | AVG-1332 | Medium | Yes | Insufficient validation | A flaw was found in Keycloak before 13.0.0 where an external identity provider, after successful authentication, redirects to a Keycloak endpoint that... |
CVE-2020-10770 | AVG-1332 | Medium | Yes | Cross-site request forgery | A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri.... |
CVE-2020-1725 | AVG-1332 | Medium | Yes | Authentication bypass | A security issue was found in keycloak. In some scenarios a user still has access to a resource after changing the role mappings in Keycloak and after... |
CVE-2020-1723 | AVG-1332 | Low | Yes | Open redirect | A security issue was found in keycloak. The logout endpoint /oauth/logout?redirect=url can be abused to redirect logged in users to arbitrary web pages.... |
Resolved
Group | Affected | Fixed | Severity | Status | Ticket |
---|---|---|---|---|---|
AVG-1471 | 11.0.3-1 | 12.0.0-1 | Medium | Fixed | |
AVG-1373 | 11.0.3-1 | 12.0.0-1 | Medium | Fixed | |
AVG-1158 | 10.0.0-1 | 10.0.1-1 | High | Fixed | FS#66642 |
Issue | Group | Severity | Remote | Type | Description |
---|---|---|---|---|---|
CVE-2020-27826 | AVG-1373 | Medium | Yes | Privilege escalation | A flaw was found in keycloak versions prior to 12.0.0 where it is possible to update the user's meta-data attributes using Account REST API. It is now... |
CVE-2020-14366 | AVG-1471 | Medium | Yes | Directory traversal | A vulnerability was found in keycloak, where path traversal using URL- encoded path segments in the request is possible because the resources endpoint... |
CVE-2020-1714 | AVG-1158 | High | Yes | Arbitrary code execution | A flaw was found in Keycloak, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject... |
Advisories
Date | Advisory | Group | Severity | Description |
---|---|---|---|---|
16 May 2020 | ASA-202005-8 | AVG-1158 | High | arbitrary code execution |