Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
keycloak keycloak - vulnerabilities and exploits
(subscribe to this query)
7.5
CVSSv2
CVE-2022-1245
A privilege escalation flaw was found in the token exchange feature of keycloak. Missing authorization allows a client application holding a valid access token to exchange tokens for any target client by passing the client_id of the target. This could allow a client to gain unaut...
Redhat Keycloak
7.5
CVSSv2
CVE-2020-14359
A vulnerability was found in all versions of Keycloak Gatekeeper, where on using lower case HTTP headers (via cURL) an attacker can bypass our Gatekeeper. Lower case headers are also accepted by some webservers (e.g. Jetty). This means there is no protection when we put a Gatekee...
Redhat Louketo Proxy
7.5
CVSSv2
CVE-2020-1731
A flaw was found in all versions of the Keycloak operator, before version 8.0.2,(community only) where the operator generates a random admin password when installing Keycloak, however the password remains the same when deployed to the same OpenShift namespace.
Redhat Keycloak Operator
7.5
CVSSv2
CVE-2019-14910
A vulnerability was found in keycloak 7.x, when keycloak is configured with LDAP user federation and StartTLS is used instead of SSL/TLS from the LDAP server (ldaps), in this case user authentication succeeds even if invalid password has entered.
Redhat Keycloak 7.0.0
Redhat Keycloak 7.0.1
7.5
CVSSv2
CVE-2019-14909
A vulnerability was found in Keycloak 7.x where the user federation LDAP bind type is none (LDAP anonymous bind), any password, invalid or valid will be accepted.
Redhat Keycloak 7.0.0
Redhat Keycloak 7.0.1
6.8
CVSSv2
CVE-2021-20195
A flaw was found in keycloak in versions prior to 13.0.0. A Self Stored XSS attack vector escalating to a complete account takeover is possible due to user-supplied data fields not being properly encoded and Javascript code being used to process the data. The highest threat from ...
Redhat Keycloak
6.8
CVSSv2
CVE-2020-1744
A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle this ev...
Redhat Keycloak
6.8
CVSSv2
CVE-2019-10199
It was found that Keycloak's account console, up to 6.0.1, did not perform adequate header checks in some requests. An attacker could use this flaw to trick an authenticated user into performing operations via request from an untrusted domain.
Redhat Keycloak
6.8
CVSSv2
CVE-2014-3709
The org.keycloak.services.resources.SocialResource.callback method in JBoss KeyCloak prior to 1.0.3.Final allows remote malicious users to conduct cross-site request forgery (CSRF) attacks by leveraging lack of CSRF protection.
Keycloak Keycloak
6.5
CVSSv2
CVE-2021-4133
A flaw was found in Keycloak in versions from 12.0.0 and prior to 15.1.1 which allows an attacker with any existing user account to create new default user accounts via the administrative REST API even when new user registration is disabled.
Redhat Keycloak
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-7073
CVE-2024-5496
CVE-2024-5495
XPath injection
bypass
CVE-2024-30043
CVE-2024-24919
denial of service
CVE-2024-35468
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
1
2
3
4
5
6
NEXT »