CVE-2021-20262 |
AVG-1332 |
Medium |
Yes |
Authentication bypass |
A security issue was found in Keycloak where re-authentication does not occur while updating the password. This flaw allows an attacker to take over an... |
CVE-2021-20222 |
AVG-1332 |
High |
Yes |
Cross-site scripting |
A security issue was found in keycloak. The new account console in keycloak can allow malicious code to be executed using the referrer URL. |
CVE-2021-20202 |
AVG-1332 |
Medium |
No |
Information disclosure |
A security issue was found in keycloak. Directories can be created prior to the Java process creating them in the temporary directory, but with wider user... |
CVE-2021-3461 |
AVG-1332 |
Low |
Yes |
Incorrect calculation |
Keycloak may fail to logout a user session if the logout request comes from an external SAML identity provider that is set up to identify the principal via... |
CVE-2021-3424 |
AVG-1332 |
Medium |
Yes |
Content spoofing |
A security issue was found in keycloak where IDN homograph attacks are possible. A malicious user can register himself with a name already registered and... |
CVE-2020-35509 |
AVG-1332 |
Medium |
Yes |
Certificate verification bypass |
Depending on the webserver configuration, a malicious user can supply an expired certificate and it would be accepted by Keycloak direct- grant... |
CVE-2020-27838 |
AVG-1332 |
Medium |
Yes |
Information disclosure |
A security issue was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like... |
CVE-2020-14359 |
AVG-1332 |
Medium |
Yes |
Insufficient validation |
A vulnerability was found in keycloak, where on using lower case HTTP headers (via cURL) a Gatekeeper can be bypassed. Lower case headers are also accepted... |
CVE-2020-14302 |
AVG-1332 |
Medium |
Yes |
Insufficient validation |
A flaw was found in Keycloak before 13.0.0 where an external identity provider, after successful authentication, redirects to a Keycloak endpoint that... |
CVE-2020-10734 |
AVG-1332 |
Medium |
Yes |
Cross-site request forgery |
A vulnerability was found in keycloak in the way that the OIDC logout endpoint does not have cross-site request forgery (CSRF) protection. |
CVE-2020-1725 |
AVG-1332 |
Medium |
Yes |
Authentication bypass |
A security issue was found in keycloak. In some scenarios a user still has access to a resource after changing the role mappings in Keycloak and after... |
CVE-2020-1723 |
AVG-1332 |
Low |
Yes |
Open redirect |
A security issue was found in keycloak. The logout endpoint /oauth/logout?redirect=url can be abused to redirect logged in users to arbitrary web pages.... |
CVE-2020-1717 |
AVG-1332 |
Low |
Yes |
Information disclosure |
A security issue was found in keycloak. An attacker could use the change email function in the account settings to determine if an email address was already... |