|Link||package | bugs open | bugs closed | Wiki | GitHub | web search|
|Description||Open Source Identity and Access Management For Modern Applications and Services|
A security issue was found in Keycloak where re-authentication does not occur while updating the password. This flaw allows an attacker to take over an...
A security issue was found in keycloak version 15 where because of the default ECP binding flow, any other authentication flow can be bypassed. By...
A security issue was found in keycloak where it possible for anyone to register a new security device/key when there is no device already registered for any...
A security issue was found in keycloak where IDN homograph attacks are possible. A malicious user can register himself with a name already registered and...
A vulnerability was found in keycloak, where on using lower case HTTP headers (via cURL) a Gatekeeper can be bypassed. Lower case headers are also accepted...
|CVE-2020-10734||AVG-1332||Medium||Yes||Cross-site request forgery||
A vulnerability was found in keycloak in the way that the OIDC logout endpoint does not have cross-site request forgery (CSRF) protection.
A security issue was found in keycloak. In some scenarios a user still has access to a resource after changing the role mappings in Keycloak and after...
A security issue was found in keycloak. The logout endpoint /oauth/logout?redirect=url can be abused to redirect logged in users to arbitrary web pages....
A security issue was found in keycloak. An attacker could use the change email function in the account settings to determine if an email address was already...
A security issue was found in keycloak before version 13.0.0. The new account console in keycloak can allow malicious code to be executed using the referrer URL.
A security issue was found in keycloak before version 13.0.0. Directories can be created prior to the Java process creating them in the temporary directory,...
A security issue was found in keycloak before version 12.0.3. A self stored cross-site scripting (XSS) attack vector escalating to a complete account...
A security issue was found in keycloak before version 13.0.0 where brute force attacks are possible even when the permanent lockout feature is enabled...
Keycloak may fail to logout a user session if the logout request comes from an external SAML identity provider that is set up to identify the principal via...
|CVE-2020-35509||AVG-2084||Medium||Yes||Certificate verification bypass||
A security issue has been found in Keycloak before version 14.0.0. Depending on the webserver configuration, a malicious user can supply an expired...
A security issue was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like...
A flaw was found in keycloak versions prior to 12.0.0 where it is possible to update the user's meta-data attributes using Account REST API. It is now...
A vulnerability was found in keycloak, where path traversal using URL- encoded path segments in the request is possible because the resources endpoint...
A flaw was found in Keycloak before 13.0.0 where an external identity provider, after successful authentication, redirects to a Keycloak endpoint that...
|CVE-2020-10770||AVG-1577||Medium||Yes||Cross-site request forgery||
A flaw was found in Keycloak before 12.0.2, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri....
|CVE-2020-1714||AVG-1158||High||Yes||Arbitrary code execution||
A flaw was found in Keycloak, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject...
|22 Jun 2021||ASA-202106-53||AVG-2084||Medium||certificate verification bypass|
|01 Jun 2021||ASA-202106-19||AVG-1994||Low||incorrect calculation|
|19 May 2021||ASA-202105-6||AVG-1926||High||multiple issues|
|20 Feb 2021||ASA-202102-29||AVG-1578||High||cross-site scripting|
|16 May 2020||ASA-202005-8||AVG-1158||High||arbitrary code execution|