pkg:maven/org.keycloak/keycloak-services
Type
maven
Namespace
org.keycloak
Name
keycloak-services
Known advisories, vulnerabilities and fixes for org.keycloak/keycloak-services package.
Critical
2
High
12
Moderate
13
Low
7
| Type | Version | Distribution | # CVEs | # Advisory ID | Title | Severity | Published |
|---|---|---|---|---|---|---|---|
| Affected | < 1.0.2.Final |
CVE-2014-3655
|
 MAVEN:GHSA-237Q-6HJP-PCHQ
|
JBoss KeyCloak is vulnerable to soft token deletion via CSRF | moderate |
2022-05-17T19:57:03
(2 years ago) |
|
| Fixed | = 1.0.2.Final |
CVE-2014-3655
|
MAVEN:GHSA-237Q-6HJP-PCHQ
|
JBoss KeyCloak is vulnerable to soft token deletion via CSRF | moderate |
2022-05-17T19:57:03
(2 years ago) |
|
| Affected | < 24.0.5 |
CVE-2024-3656
|
MAVEN:GHSA-2CWW-FGMG-4JQC
|
Keycloak's admin API allows low privilege users to use administrative functions | high |
2024-06-11T20:22:40
(2 months ago) |
|
| Fixed | = 24.0.5 |
CVE-2024-3656
|
MAVEN:GHSA-2CWW-FGMG-4JQC
|
Keycloak's admin API allows low privilege users to use administrative functions | high |
2024-06-11T20:22:40
(2 months ago) |
|
| Affected | < 21.1.2 |
CVE-2022-4361
|
MAVEN:GHSA-3P62-6FJH-3P5H
|
Keycloak vulnerable to cross-site scripting when validating URI-schemes on SAML and OIDC | critical |
2023-06-30T20:30:50
(14 months ago) |
|
| Fixed | = 21.1.2 |
CVE-2022-4361
|
MAVEN:GHSA-3P62-6FJH-3P5H
|
Keycloak vulnerable to cross-site scripting when validating URI-schemes on SAML and OIDC | critical |
2023-06-30T20:30:50
(14 months ago) |
|
| Affected | < 21.1.2 |
CVE-2023-2422
|
MAVEN:GHSA-3QH5-QQJ2-C78F
|
Keycloak vulnerable to Improper Client Certificate Validation for OAuth/OpenID clients | high |
2023-06-30T20:31:37
(14 months ago) |
|
| Fixed | = 21.1.2 |
CVE-2023-2422
|
MAVEN:GHSA-3QH5-QQJ2-C78F
|
Keycloak vulnerable to Improper Client Certificate Validation for OAuth/OpenID clients | high |
2023-06-30T20:31:37
(14 months ago) |
|
| Affected | >= 23.0.0, < 24.0.3 < 22.0.10 |
CVE-2023-6544
|
MAVEN:GHSA-46C8-635V-68R2
|
Keycloak Authorization Bypass vulnerability | moderate |
2024-04-17T17:33:29
(4 months ago) |
|
| Fixed | = 24.0.3 = 22.0.10 |
CVE-2023-6544
|
MAVEN:GHSA-46C8-635V-68R2
|
Keycloak Authorization Bypass vulnerability | moderate |
2024-04-17T17:33:29
(4 months ago) |
|
| Affected | < 12.0.0 |
CVE-2020-10776
|
MAVEN:GHSA-484Q-784P-8M5H
|
Cross-site Scripting in keycloak | moderate |
2022-02-09T00:58:15
(2 years ago) |
|
| Fixed | = 12.0.0 |
CVE-2020-10776
|
MAVEN:GHSA-484Q-784P-8M5H
|
Cross-site Scripting in keycloak | moderate |
2022-02-09T00:58:15
(2 years ago) |
|
| Affected | >= 23.0.0, < 24.0.3 < 22.0.10 |
CVE-2023-3597
|
MAVEN:GHSA-4F53-XH3V-G8X4
|
Keycloak secondary factor bypass in step-up authentication | moderate |
2024-04-17T17:31:50
(4 months ago) |
|
| Fixed | = 24.0.3 = 22.0.10 |
CVE-2023-3597
|
MAVEN:GHSA-4F53-XH3V-G8X4
|
Keycloak secondary factor bypass in step-up authentication | moderate |
2024-04-17T17:31:50
(4 months ago) |
|
| Affected | < 24.0.1 |
MAVEN:GHSA-4VC8-PG5C-VG4X
|
Keycloak's improper input validation allows using email as username | low |
2024-06-12T19:41:05
(2 months ago) |
||
| Fixed | = 24.0.1 |
MAVEN:GHSA-4VC8-PG5C-VG4X
|
Keycloak's improper input validation allows using email as username | low |
2024-06-12T19:41:05
(2 months ago) |
||
| Affected | < 24.0.5 |
MAVEN:GHSA-4VRX-8PHJ-X3MG
|
Duplicate Advisory: Keycloak exposes sensitive information in Pushed Authorization Requests (PAR) | high |
2024-06-03T18:30:50
(3 months ago) |
||
| Fixed | = 24.0.5 |
MAVEN:GHSA-4VRX-8PHJ-X3MG
|
Duplicate Advisory: Keycloak exposes sensitive information in Pushed Authorization Requests (PAR) | high |
2024-06-03T18:30:50
(3 months ago) |
||
| Affected | < 23.0.3 |
MAVEN:GHSA-5968-QW33-H47J
|
Duplicate Advisory: Keycloak vulnerable to reflected XSS via wildcard in OIDC redirect_uri | moderate |
2023-12-15T00:31:03
(8 months ago) |
||
| Fixed | = 23.0.3 |
MAVEN:GHSA-5968-QW33-H47J
|
Duplicate Advisory: Keycloak vulnerable to reflected XSS via wildcard in OIDC redirect_uri | moderate |
2023-12-15T00:31:03
(8 months ago) |
||
| Affected | < 1.1.0.Beta1 |
CVE-2014-3652
|
MAVEN:GHSA-5R7W-PJX8-99QG
|
JBoss KeyCloak Open Redirect | moderate |
2022-05-17T19:57:08
(2 years ago) |
|
| Fixed | = 1.1.0.Beta1 |
CVE-2014-3652
|
MAVEN:GHSA-5R7W-PJX8-99QG
|
JBoss KeyCloak Open Redirect | moderate |
2022-05-17T19:57:08
(2 years ago) |
|
| Affected | < 24.0.5 |
CVE-2024-4540
|
MAVEN:GHSA-69FP-7C8P-CRJR
|
Keycloak exposes sensitive information in Pushed Authorization Requests (PAR) | high |
2024-06-10T18:36:56
(2 months ago) |
|
| Fixed | = 24.0.5 |
CVE-2024-4540
|
MAVEN:GHSA-69FP-7C8P-CRJR
|
Keycloak exposes sensitive information in Pushed Authorization Requests (PAR) | high |
2024-06-10T18:36:56
(2 months ago) |
|
| Affected | >= 23.0.0, < 24.0.3 < 22.0.10 |
CVE-2024-1132
|
MAVEN:GHSA-72VP-XFRC-42XM
|
Keycloak path traversal vulnerability in redirection validation | high |
2024-04-17T18:25:08
(4 months ago) |
|
| Fixed | = 24.0.3 = 22.0.10 |
CVE-2024-1132
|
MAVEN:GHSA-72VP-XFRC-42XM
|
Keycloak path traversal vulnerability in redirection validation | high |
2024-04-17T18:25:08
(4 months ago) |
|
| Affected | < 18.0.0 |
CVE-2022-1245
|
MAVEN:GHSA-75P6-52G3-RQC8
|
Keycloak vulnerable to privilege escalation on Token Exchange feature | critical |
2022-04-26T21:21:00
(2 years ago) |
|
| Fixed | = 18.0.0 |
CVE-2022-1245
|
MAVEN:GHSA-75P6-52G3-RQC8
|
Keycloak vulnerable to privilege escalation on Token Exchange feature | critical |
2022-04-26T21:21:00
(2 years ago) |
|
| Affected | >= 23.0.0, < 24.0.3 < 22.0.10 |
CVE-2023-0657
|
MAVEN:GHSA-7FPJ-9HR8-28VH
|
Keycloak vulnerable to impersonation via logout token exchange | low |
2024-04-17T18:25:59
(4 months ago) |
|
| Fixed | = 24.0.3 = 22.0.10 |
CVE-2023-0657
|
MAVEN:GHSA-7FPJ-9HR8-28VH
|
Keycloak vulnerable to impersonation via logout token exchange | low |
2024-04-17T18:25:59
(4 months ago) |
|
| Affected | < 15.1.1 |
CVE-2021-4133
|
MAVEN:GHSA-83X4-9CWR-5487
|
Improper Authorization in Keycloak | high |
2022-01-06T18:32:58
(2 years ago) |
|
| Fixed | = 15.1.1 |
CVE-2021-4133
|
MAVEN:GHSA-83X4-9CWR-5487
|
Improper Authorization in Keycloak | high |
2022-01-06T18:32:58
(2 years ago) |
|
| Affected | < 23.0.1 |
CVE-2022-2232
|
MAVEN:GHSA-8HC5-RMGF-QX6P
|
Keycloak vulnerable to LDAP Injection on UsernameForm Login | low |
2023-11-29T21:33:07
(9 months ago) |
|
| Fixed | = 23.0.1 |
CVE-2022-2232
|
MAVEN:GHSA-8HC5-RMGF-QX6P
|
Keycloak vulnerable to LDAP Injection on UsernameForm Login | low |
2023-11-29T21:33:07
(9 months ago) |
|
| Affected | >= 23.0.0, < 24.0.3 < 22.0.10 |
CVE-2023-6717
|
MAVEN:GHSA-8RMM-GM28-PJ8Q
|
Keycloak Cross-site Scripting (XSS) via assertion consumer service URL in SAML POST-binding flow | high |
2024-04-17T17:33:04
(4 months ago) |
|
| Fixed | = 24.0.3 = 22.0.10 |
CVE-2023-6717
|
MAVEN:GHSA-8RMM-GM28-PJ8Q
|
Keycloak Cross-site Scripting (XSS) via assertion consumer service URL in SAML POST-binding flow | high |
2024-04-17T17:33:04
(4 months ago) |
|
| Affected | <= 24.0.3 |
CVE-2024-4629
|
MAVEN:GHSA-8WM9-24QG-M5QJ
|
Keycloak has a brute force login protection bypass | moderate |
2024-09-03T21:31:12
(4 days ago) |
|
| Fixed | = 24.0.4 |
CVE-2024-4629
|
MAVEN:GHSA-8WM9-24QG-M5QJ
|
Keycloak has a brute force login protection bypass | moderate |
2024-09-03T21:31:12
(4 days ago) |
|
| Affected | < 21.0.1 |
CVE-2023-0264
|
MAVEN:GHSA-9G98-5MJ6-F9MV
|
Keycloak vulnerable to user impersonation via stolen UUID code | high |
2023-03-02T23:25:43
(18 months ago) |
|
| Fixed | = 21.0.1 |
CVE-2023-0264
|
MAVEN:GHSA-9G98-5MJ6-F9MV
|
Keycloak vulnerable to user impersonation via stolen UUID code | high |
2023-03-02T23:25:43
(18 months ago) |
|
| Affected | >= 23.0.0, < 24.0.3 < 22.0.10 |
CVE-2023-6787
|
MAVEN:GHSA-C9H6-V78W-52WJ
|
Keycloak vulnerable to session hijacking via re-authentication | moderate |
2024-04-17T18:25:29
(4 months ago) |
|
| Fixed | = 24.0.3 = 22.0.10 |
CVE-2023-6787
|
MAVEN:GHSA-C9H6-V78W-52WJ
|
Keycloak vulnerable to session hijacking via re-authentication | moderate |
2024-04-17T18:25:29
(4 months ago) |
|
| Affected | < 24.0.0 |
MAVEN:GHSA-CQ42-VHV7-XR7P
|
Keycloak Denial of Service via account lockout | low |
2024-06-12T19:42:21
(2 months ago) |
||
| Fixed | = 24.0.0 |
MAVEN:GHSA-CQ42-VHV7-XR7P
|
Keycloak Denial of Service via account lockout | low |
2024-06-12T19:42:21
(2 months ago) |
||
| Affected | < 23.0.3 |
CVE-2023-6134
|
MAVEN:GHSA-CVG2-7C3J-G36J
|
Keycloak vulnerable to reflected XSS via wildcard in OIDC redirect_uri | moderate |
2023-12-18T19:31:02
(8 months ago) |
|
| Fixed | = 23.0.3 |
CVE-2023-6134
|
MAVEN:GHSA-CVG2-7C3J-G36J
|
Keycloak vulnerable to reflected XSS via wildcard in OIDC redirect_uri | moderate |
2023-12-18T19:31:02
(8 months ago) |
|
| Affected | < 21.1.2 |
CVE-2023-2585
|
MAVEN:GHSA-F5H4-WMP5-XHG6
|
Client Spoofing within the Keycloak Device Authorisation Grant | low |
2023-06-30T20:29:25
(14 months ago) |
|
| Fixed | = 21.1.2 |
CVE-2023-2585
|
MAVEN:GHSA-F5H4-WMP5-XHG6
|
Client Spoofing within the Keycloak Device Authorisation Grant | low |
2023-06-30T20:29:25
(14 months ago) |
|
| Affected | >= 23.0.0, < 23.0.5 < 22.0.9 |
CVE-2023-6484
|
MAVEN:GHSA-J628-Q885-8GR5
|
Keycloak vulnerable to log Injection during WebAuthn authentication or registration | low |
2024-04-17T18:24:03
(4 months ago) |
|
| Fixed | = 23.0.5 = 22.0.9 |
CVE-2023-6484
|
MAVEN:GHSA-J628-Q885-8GR5
|
Keycloak vulnerable to log Injection during WebAuthn authentication or registration | low |
2024-04-17T18:24:03
(4 months ago) |
|
| Affected | < 20.0.5 |
CVE-2022-1274
|
MAVEN:GHSA-M4FV-GM5M-4725
|
HTML Injection in Keycloak Admin REST API | moderate |
2023-03-01T17:58:01
(18 months ago) |
|
| Fixed | = 20.0.5 |
CVE-2022-1274
|
MAVEN:GHSA-M4FV-GM5M-4725
|
HTML Injection in Keycloak Admin REST API | moderate |
2023-03-01T17:58:01
(18 months ago) |
|
| Affected | >= 23.0.0, < 24.0.3 < 22.0.10 |
CVE-2024-1249
|
MAVEN:GHSA-M6Q9-P373-G5Q8
|
Keycloak's unvalidated cross-origin messages in checkLoginIframe leads to DDoS | high |
2024-04-17T18:24:38
(4 months ago) |
|
| Fixed | = 24.0.3 = 22.0.10 |
CVE-2024-1249
|
MAVEN:GHSA-M6Q9-P373-G5Q8
|
Keycloak's unvalidated cross-origin messages in checkLoginIframe leads to DDoS | high |
2024-04-17T18:24:38
(4 months ago) |
|
| Affected | < 23.0.3 |
CVE-2023-6291
|
MAVEN:GHSA-MPWQ-J3XF-7M5W
|
The redirect_uri validation logic allows for bypassing explicitly allowed hosts that would otherwise be restricted | high |
2023-12-21T18:25:30
(8 months ago) |
|
| Fixed | = 23.0.3 |
CVE-2023-6291
|
MAVEN:GHSA-MPWQ-J3XF-7M5W
|
The redirect_uri validation logic allows for bypassing explicitly allowed hosts that would otherwise be restricted | high |
2023-12-21T18:25:30
(8 months ago) |
|
| Affected | >= 23.0.0, < 24.0.3 < 22.0.10 |
CVE-2024-2419
|
MAVEN:GHSA-MRV8-PQFJ-7GP5
|
Keycloak path traversal vulnerability in the redirect validation | high |
2024-04-17T17:31:12
(4 months ago) |
|
| Fixed | = 24.0.3 = 22.0.10 |
CVE-2024-2419
|
MAVEN:GHSA-MRV8-PQFJ-7GP5
|
Keycloak path traversal vulnerability in the redirect validation | high |
2024-04-17T17:31:12
(4 months ago) |
|
| Affected | < 18.0.0 |
MAVEN:GHSA-MWM4-5QWR-G9PF
|
Keycloak is vulnerable to IDN homograph attack | low |
2022-04-28T21:00:31
(2 years ago) |
||
| Fixed | = 18.0.0 |
MAVEN:GHSA-MWM4-5QWR-G9PF
|
Keycloak is vulnerable to IDN homograph attack | low |
2022-04-28T21:00:31
(2 years ago) |
||
| Affected | < 18.0.0 |
CVE-2021-3424
|
MAVEN:GHSA-PF38-CW3P-22Q9
|
Keycloak is vulnerable to IDN homograph attack | moderate |
2022-04-28T21:00:21
(2 years ago) |
|
| Fixed | = 18.0.0 |
CVE-2021-3424
|
MAVEN:GHSA-PF38-CW3P-22Q9
|
Keycloak is vulnerable to IDN homograph attack | moderate |
2022-04-28T21:00:21
(2 years ago) |
|
| Affected | <= 21.0.0 |
CVE-2022-1438
|
MAVEN:GHSA-W354-2F3C-QVG9
|
Keycloak vulnerable to Cross-site Scripting | moderate |
2023-03-01T16:18:55
(18 months ago) |
|
| Affected | < 1.0.3.Final |
CVE-2014-3709
|
MAVEN:GHSA-XR6Q-QQX7-553G
|
JBoss Keycloak CSRF Vulnerability | high |
2022-05-17T00:26:04
(2 years ago) |
|
| Fixed | = 1.0.3.Final |
CVE-2014-3709
|
MAVEN:GHSA-XR6Q-QQX7-553G
|
JBoss Keycloak CSRF Vulnerability | high |
2022-05-17T00:26:04
(2 years ago) |
|
| Affected | < 4.4.0.Final |
CVE-2018-10894
|
MAVEN:GHSA-XVV8-8WH9-9FH2
|
Keycloak Authentication Error | moderate |
2022-05-13T01:34:55
(2 years ago) |
|
| Fixed | = 4.4.0.Final |
CVE-2018-10894
|
MAVEN:GHSA-XVV8-8WH9-9FH2
|
Keycloak Authentication Error | moderate |
2022-05-13T01:34:55
(2 years ago) |