keycloak

Link package | bugs open | bugs closed | Wiki | GitHub | web search
Description Open Source Identity and Access Management For Modern Applications and Services
Version 12.0.2-1 [community]

Open

Group Affected Fixed Severity Status Ticket
AVG-1332 12.0.2-1 Medium Vulnerable
Issue Group Severity Remote Type Description
CVE-2020-35509 AVG-1332 Medium Yes Certificate verification bypass
Depending on the webserver configuration, a malicious user can supply an expired certificate and it would be accepted by Keycloak direct- grant...
CVE-2020-27838 AVG-1332 Medium Yes Information disclosure
Client registration endpoints should not allow fetching information about public clients without authentication.
CVE-2020-14359 AVG-1332 Medium Yes Insufficient validation
A vulnerability was found in keycloak, where on using lower case HTTP headers (via cURL) a Gatekeeper can be bypassed. Lower case headers are also accepted...
CVE-2020-14302 AVG-1332 Medium Yes Insufficient validation
A flaw was found in Keycloak before 13.0.0 where an external identity provider, after successful authentication, redirects to a Keycloak endpoint that...
CVE-2020-10770 AVG-1332 Medium Yes Cross-site request forgery
A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri....
CVE-2020-1725 AVG-1332 Medium Yes Authentication bypass
A security issue was found in keycloak. In some scenarios a user still has access to a resource after changing the role mappings in Keycloak and after...
CVE-2020-1723 AVG-1332 Low Yes Open redirect
A security issue was found in keycloak. The logout endpoint /oauth/logout?redirect=url can be abused to redirect logged in users to arbitrary web pages....

Resolved

Group Affected Fixed Severity Status Ticket
AVG-1471 11.0.3-1 12.0.0-1 Medium Fixed
AVG-1373 11.0.3-1 12.0.0-1 Medium Fixed
AVG-1158 10.0.0-1 10.0.1-1 High Fixed FS#66642
Issue Group Severity Remote Type Description
CVE-2020-27826 AVG-1373 Medium Yes Privilege escalation
A flaw was found in keycloak versions prior to 12.0.0 where it is possible to update the user's meta-data attributes using Account REST API. It is now...
CVE-2020-14366 AVG-1471 Medium Yes Directory traversal
A vulnerability was found in keycloak, where path traversal using URL- encoded path segments in the request is possible because the resources endpoint...
CVE-2020-1714 AVG-1158 High Yes Arbitrary code execution
A flaw was found in Keycloak, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject...

Advisories

Date Advisory Group Severity Description
16 May 2020 ASA-202005-8 AVG-1158 High arbitrary code execution