keycloak

Link package | bugs open | bugs closed | Wiki | GitHub | web search
Description Open Source Identity and Access Management For Modern Applications and Services
Version 15.0.2-1 [community]

Open

Group Affected Fixed Severity Status Ticket
AVG-1332 15.0.2-1 High Vulnerable
Issue Group Severity Remote Type Description
CVE-2021-20262 AVG-1332 Medium Yes Authentication bypass
A security issue was found in Keycloak where re-authentication does not occur while updating the password. This flaw allows an attacker to take over an...
CVE-2021-3827 AVG-1332 High Yes Authentication bypass
A security issue was found in keycloak version 15 where because of the default ECP binding flow, any other authentication flow can be bypassed. By...
CVE-2021-3632 AVG-1332 High Yes Authentication bypass
A security issue was found in keycloak where it possible for anyone to register a new security device/key when there is no device already registered for any...
CVE-2021-3424 AVG-1332 Medium Yes Content spoofing
A security issue was found in keycloak where IDN homograph attacks are possible. A malicious user can register himself with a name already registered and...
CVE-2020-14359 AVG-1332 Medium Yes Insufficient validation
A vulnerability was found in keycloak, where on using lower case HTTP headers (via cURL) a Gatekeeper can be bypassed. Lower case headers are also accepted...
CVE-2020-10734 AVG-1332 Medium Yes Cross-site request forgery
A vulnerability was found in keycloak in the way that the OIDC logout endpoint does not have cross-site request forgery (CSRF) protection.
CVE-2020-1725 AVG-1332 Medium Yes Authentication bypass
A security issue was found in keycloak. In some scenarios a user still has access to a resource after changing the role mappings in Keycloak and after...
CVE-2020-1723 AVG-1332 Low Yes Open redirect
A security issue was found in keycloak. The logout endpoint /oauth/logout?redirect=url can be abused to redirect logged in users to arbitrary web pages....
CVE-2020-1717 AVG-1332 Low Yes Information disclosure
A security issue was found in keycloak. An attacker could use the change email function in the account settings to determine if an email address was already...

Resolved

Group Affected Fixed Severity Status Ticket
AVG-2084 13.0.1-1 14.0.0-1 Medium Fixed
AVG-1994 13.0.0-1 13.0.1-1 Low Fixed
AVG-1926 12.0.4-1 13.0.0-1 High Fixed
AVG-1578 12.0.2-1 12.0.3-1 High Fixed
AVG-1577 12.0.1-1 12.0.2-1 Medium Fixed
AVG-1471 11.0.3-1 12.0.0-1 Medium Fixed
AVG-1373 11.0.3-1 12.0.0-1 Medium Fixed
AVG-1158 10.0.0-1 10.0.1-1 High Fixed FS#66642
Issue Group Severity Remote Type Description
CVE-2021-20222 AVG-1926 High Yes Cross-site scripting
A security issue was found in keycloak before version 13.0.0. The new account console in keycloak can allow malicious code to be executed using the referrer URL.
CVE-2021-20202 AVG-1926 Medium No Information disclosure
A security issue was found in keycloak before version 13.0.0. Directories can be created prior to the Java process creating them in the temporary directory,...
CVE-2021-20195 AVG-1578 High Yes Cross-site scripting
A security issue was found in keycloak before version 12.0.3. A self stored cross-site scripting (XSS) attack vector escalating to a complete account...
CVE-2021-3513 AVG-1926 Medium Yes Information disclosure
A security issue was found in keycloak before version 13.0.0 where brute force attacks are possible even when the permanent lockout feature is enabled...
CVE-2021-3461 AVG-1994 Low Yes Incorrect calculation
Keycloak may fail to logout a user session if the logout request comes from an external SAML identity provider that is set up to identify the principal via...
CVE-2020-35509 AVG-2084 Medium Yes Certificate verification bypass
A security issue has been found in Keycloak before version 14.0.0. Depending on the webserver configuration, a malicious user can supply an expired...
CVE-2020-27838 AVG-1926 Medium Yes Information disclosure
A security issue was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like...
CVE-2020-27826 AVG-1373 Medium Yes Privilege escalation
A flaw was found in keycloak versions prior to 12.0.0 where it is possible to update the user's meta-data attributes using Account REST API. It is now...
CVE-2020-14366 AVG-1471 Medium Yes Directory traversal
A vulnerability was found in keycloak, where path traversal using URL- encoded path segments in the request is possible because the resources endpoint...
CVE-2020-14302 AVG-1926 Medium Yes Insufficient validation
A flaw was found in Keycloak before 13.0.0 where an external identity provider, after successful authentication, redirects to a Keycloak endpoint that...
CVE-2020-10770 AVG-1577 Medium Yes Cross-site request forgery
A flaw was found in Keycloak before 12.0.2, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri....
CVE-2020-1714 AVG-1158 High Yes Arbitrary code execution
A flaw was found in Keycloak, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject...

Advisories

Date Advisory Group Severity Type
22 Jun 2021 ASA-202106-53 AVG-2084 Medium certificate verification bypass
01 Jun 2021 ASA-202106-19 AVG-1994 Low incorrect calculation
19 May 2021 ASA-202105-6 AVG-1926 High multiple issues
20 Feb 2021 ASA-202102-29 AVG-1578 High cross-site scripting
16 May 2020 ASA-202005-8 AVG-1158 High arbitrary code execution