org.keycloak:keycloak-core (Maven) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Maven package org.keycloak:keycloak-core, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (48)
CVE-2021-20195 — CVSS 9.6 (critical): A flaw was found in keycloak in versions before 13.0.0. A Self Stored XSS attack vector escalating to a complete account takeover is…
CVE-2020-1731 — CVSS 9.1 (critical): A flaw was found in all versions of the Keycloak operator, before version 8.0.2,(community only) where the operator generates a random…
CVE-2019-14837 — CVSS 9.1 (critical): A flaw was found in keycloack before version 8.0.0. The owner of 'placeholder.org' domain can setup mail server on this domain and knowing…
CVE-2019-10199 — CVSS 8.8 (high): It was found that Keycloak's account console, up to 6.0.1, did not perform adequate header checks in some requests. An attacker could use…
CVE-2017-12161 — CVSS 8.8 (high): It was found that keycloak before 3.4.2 final would permit misuse of a client-side /etc/hosts entry to spoof a URL in a password reset…
CVE-2023-4918 — CVSS 8.8 (high): A flaw was found in the Keycloak package, more specifically org.keycloak.userprofile. When a user registers itself through registration…
CVE-2020-1714 — CVSS 8.8 (high): A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw…
CVE-2020-14389 — CVSS 8.1 (high): It was found that Keycloak before version 12.0.0 would permit a user with only view-profile role to manage the resources in the new account…
CVE-2019-10201 — CVSS 8.1 (high): It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. If an attacker modifies the SAML…
CVE-2017-2646 — CVSS 7.5 (high): It was found that when Keycloak before 2.5.5 receives a Logout request with a Extensions in the middle of the request, the…
CVE-2014-3651 — CVSS 7.5 (high): JBoss KeyCloak before 1.0.3.Final allows remote attackers to cause a denial of service (resource consumption) via a large value in the size…
CVE-2023-6841 — CVSS 7.5 (high): A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited,an attacker by sending…
CVE-2021-3632 — CVSS 7.5 (high): A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already…
CVE-2021-20202 — CVSS 7.3 (high): A flaw was found in keycloak. Directories can be created prior to the Java process creating them in the temporary directory, but with wider…
CVE-2021-20262 — CVSS 6.8 (medium): A flaw was found in Keycloak 12.0.0 where re-authentication does not occur while updating the password. This flaw allows an attacker to…
CVE-2019-10170 — CVSS 6.6 (medium): A flaw was found in the Keycloak admin console, where the realm management interface permits a script to be set via the policy. This flaw…
CVE-2023-1664 — CVSS 6.5 (medium): A flaw was found in Keycloak. This flaw depends on a non-default configuration "Revalidate Client Certificate" to be enabled and the…
CVE-2016-8629 — CVSS 6.5 (medium): Red Hat Keycloak before version 2.4.0 did not correctly check permissions when handling service account user deletion requests sent to the…
CVE-2017-2582 — CVSS 6.5 (medium): It was found that while parsing the SAML messages the StaxParserUtil class of keycloak before 2.5.1 replaces special strings for obtaining…
CVE-2019-3875 — CVSS 6.5 (medium): A vulnerability was found in keycloak before 6.0.2. The X.509 authenticator supports the verification of client certificates through the…
CVE-2020-27838 — CVSS 6.5 (medium): A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients…
CVE-2022-1466 — CVSS 6.5 (medium): Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform…
CVE-2023-0105 — CVSS 6.5 (medium): A flaw was found in Keycloak. This flaw allows impersonation and lockout due to the email trust not being handled correctly in Keycloak. An…
CVE-2024-7260 — CVSS 6.1 (medium): An open redirect vulnerability was found in Keycloak. A specially crafted URL can be constructed where the referrer and referrer_uri…
CVE-2020-1697 — CVSS 6.1 (medium): It was found in all keycloak versions before 9.0.0 that links to external applications (Application Links) in the admin console are not…
CVE-2018-14637 — CVSS 6.1 (medium): The SAML broker consumer endpoint in Keycloak before version 4.6.0.Final ignores expiration conditions on SAML assertions. An attacker can…
CVE-2018-14658 — CVSS 6.1 (medium): A flaw was found in JBOSS Keycloak 3.2.1.Final. The Redirect URL for both Login and Logout are not normalized in org.keycloak.protocol.oidc…
CVE-2017-2585 — CVSS 5.9 (medium): Red Hat Keycloak before version 2.5.1 has an implementation of HMAC verification for JWS tokens that uses a method that runs in…
CVE-2020-1744 — CVSS 5.6 (medium): A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authentication Flow as a post login flow of an IDP…
CVE-2020-35509 — CVSS 5.4 (medium): A flaw was found in keycloak affecting versions 11.0.3 and 12.0.0. An expired certificate would be accepted by the direct-grant…
CVE-2022-0225 — CVSS 5.4 (medium): A flaw was found in Keycloak. This flaw allows a privileged attacker to use the malicious payload as the group name while creating a new…
CVE-2020-10770 — CVSS 5.3 (medium): A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter…
CVE-2020-1698 — CVSS 5.0 (medium): A flaw was found in keycloak in versions before 9.0.0. A logged exception in the HttpMethod class may leak the password given as parameter…
CVE-2018-10912 — CVSS 4.9 (medium): keycloak before version 4.0.0.final is vulnerable to a infinite loop in session replacement. A Keycloak cluster with multiple nodes could…
CVE-2024-7318 — CVSS 4.8 (medium): A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds…
CVE-2020-1728 — CVSS 4.8 (medium): A vulnerability was found in all versions of Keycloak where, the pages on the Admin Console area of the application are completely missing…
CVE-2023-6927 — CVSS 4.6 (medium): A flaw was found in Keycloak. This issue may allow an attacker to steal authorization codes or tokens from clients using a wildcard in the…
CVE-2021-3856 — CVSS 4.3 (medium): ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader. By sending…
CVE-2019-14820 — CVSS 4.3 (medium): It was found that keycloak before version 8.0.0 exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be…
CVE-2020-1724 — CVSS 4.3 (medium): A flaw was found in Keycloak in versions before 9.0.2. This flaw allows a malicious user that is currently logged in, to see the personal…
CVE-2020-27826 — CVSS 4.2 (medium): A flaw was found in Keycloak before version 12.0.0 where it is possible to update the user's metadata attributes using Account REST API…
CVE-2020-10686 — CVSS 4.1 (medium): A flaw was found in Keycloak version 8.0.2 and 9.0.0, and was fixed in Keycloak version 9.0.1, where a malicious user registers as oneself…
CVE-2023-0091 — CVSS 3.8 (low): A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This…
CVE-2019-3868 — CVSS 3.8 (low): Keycloak up to version 6.0.0 allows the end user token (access or id token JWT) to be used as the session cookie for browser sessions for…
CVE-2024-4028 — CVSS 3.8 (low): A vulnerability was found in Keycloak. This issue may allow a privileged attacker to use a malicious payload as the permission while…
CVE-2016-8609 — CVSS 3.7 (low): It was found that the keycloak before 2.3.0 did not implement authentication flow correctly. An attacker could use this flaw to construct a…