keycloak
| Link | package | bugs open | bugs closed | Wiki | GitHub | web search |
| Description | Open Source Identity and Access Management For Modern Applications and Services |
| Version | 15.0.2-1 [community] |
Open
| Group | Affected | Fixed | Severity | Status | Ticket |
|---|---|---|---|---|---|
| AVG-1332 | 15.0.2-1 | High | Vulnerable |
| Issue | Group | Severity | Remote | Type | Description |
|---|---|---|---|---|---|
| CVE-2021-20262 | AVG-1332 | Medium | Yes | Authentication bypass | A security issue was found in Keycloak where re-authentication does not occur while updating the password. This flaw allows an attacker to take over an... |
| CVE-2021-3827 | AVG-1332 | High | Yes | Authentication bypass | A security issue was found in keycloak version 15 where because of the default ECP binding flow, any other authentication flow can be bypassed. By... |
| CVE-2021-3632 | AVG-1332 | High | Yes | Authentication bypass | A security issue was found in keycloak where it possible for anyone to register a new security device/key when there is no device already registered for any... |
| CVE-2021-3424 | AVG-1332 | Medium | Yes | Content spoofing | A security issue was found in keycloak where IDN homograph attacks are possible. A malicious user can register himself with a name already registered and... |
| CVE-2020-14359 | AVG-1332 | Medium | Yes | Insufficient validation | A vulnerability was found in keycloak, where on using lower case HTTP headers (via cURL) a Gatekeeper can be bypassed. Lower case headers are also accepted... |
| CVE-2020-10734 | AVG-1332 | Medium | Yes | Cross-site request forgery | A vulnerability was found in keycloak in the way that the OIDC logout endpoint does not have cross-site request forgery (CSRF) protection. |
| CVE-2020-1725 | AVG-1332 | Medium | Yes | Authentication bypass | A security issue was found in keycloak. In some scenarios a user still has access to a resource after changing the role mappings in Keycloak and after... |
| CVE-2020-1723 | AVG-1332 | Low | Yes | Open redirect | A security issue was found in keycloak. The logout endpoint /oauth/logout?redirect=url can be abused to redirect logged in users to arbitrary web pages.... |
| CVE-2020-1717 | AVG-1332 | Low | Yes | Information disclosure | A security issue was found in keycloak. An attacker could use the change email function in the account settings to determine if an email address was already... |
Resolved
| Group | Affected | Fixed | Severity | Status | Ticket |
|---|---|---|---|---|---|
| AVG-2084 | 13.0.1-1 | 14.0.0-1 | Medium | Fixed | |
| AVG-1994 | 13.0.0-1 | 13.0.1-1 | Low | Fixed | |
| AVG-1926 | 12.0.4-1 | 13.0.0-1 | High | Fixed | |
| AVG-1578 | 12.0.2-1 | 12.0.3-1 | High | Fixed | |
| AVG-1577 | 12.0.1-1 | 12.0.2-1 | Medium | Fixed | |
| AVG-1471 | 11.0.3-1 | 12.0.0-1 | Medium | Fixed | |
| AVG-1373 | 11.0.3-1 | 12.0.0-1 | Medium | Fixed | |
| AVG-1158 | 10.0.0-1 | 10.0.1-1 | High | Fixed | FS#66642 |
| Issue | Group | Severity | Remote | Type | Description |
|---|---|---|---|---|---|
| CVE-2021-20222 | AVG-1926 | High | Yes | Cross-site scripting | A security issue was found in keycloak before version 13.0.0. The new account console in keycloak can allow malicious code to be executed using the referrer URL. |
| CVE-2021-20202 | AVG-1926 | Medium | No | Information disclosure | A security issue was found in keycloak before version 13.0.0. Directories can be created prior to the Java process creating them in the temporary directory,... |
| CVE-2021-20195 | AVG-1578 | High | Yes | Cross-site scripting | A security issue was found in keycloak before version 12.0.3. A self stored cross-site scripting (XSS) attack vector escalating to a complete account... |
| CVE-2021-3513 | AVG-1926 | Medium | Yes | Information disclosure | A security issue was found in keycloak before version 13.0.0 where brute force attacks are possible even when the permanent lockout feature is enabled... |
| CVE-2021-3461 | AVG-1994 | Low | Yes | Incorrect calculation | Keycloak may fail to logout a user session if the logout request comes from an external SAML identity provider that is set up to identify the principal via... |
| CVE-2020-35509 | AVG-2084 | Medium | Yes | Certificate verification bypass | A security issue has been found in Keycloak before version 14.0.0. Depending on the webserver configuration, a malicious user can supply an expired... |
| CVE-2020-27838 | AVG-1926 | Medium | Yes | Information disclosure | A security issue was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like... |
| CVE-2020-27826 | AVG-1373 | Medium | Yes | Privilege escalation | A flaw was found in keycloak versions prior to 12.0.0 where it is possible to update the user's meta-data attributes using Account REST API. It is now... |
| CVE-2020-14366 | AVG-1471 | Medium | Yes | Directory traversal | A vulnerability was found in keycloak, where path traversal using URL- encoded path segments in the request is possible because the resources endpoint... |
| CVE-2020-14302 | AVG-1926 | Medium | Yes | Insufficient validation | A flaw was found in Keycloak before 13.0.0 where an external identity provider, after successful authentication, redirects to a Keycloak endpoint that... |
| CVE-2020-10770 | AVG-1577 | Medium | Yes | Cross-site request forgery | A flaw was found in Keycloak before 12.0.2, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri.... |
| CVE-2020-1714 | AVG-1158 | High | Yes | Arbitrary code execution | A flaw was found in Keycloak, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject... |
Advisories
| Date | Advisory | Group | Severity | Type |
|---|---|---|---|---|
| 22 Jun 2021 | ASA-202106-53 | AVG-2084 | Medium | certificate verification bypass |
| 01 Jun 2021 | ASA-202106-19 | AVG-1994 | Low | incorrect calculation |
| 19 May 2021 | ASA-202105-6 | AVG-1926 | High | multiple issues |
| 20 Feb 2021 | ASA-202102-29 | AVG-1578 | High | cross-site scripting |
| 16 May 2020 | ASA-202005-8 | AVG-1158 | High | arbitrary code execution |