Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
keycloak vulnerabilities and exploits
(subscribe to this query)
9.8
CVSSv3
CVE-2022-1245
A privilege escalation flaw was found in the token exchange feature of keycloak. Missing authorization allows a client application holding a valid access token to exchange tokens for any target client by passing the client_id of the target. This could allow a client to gain unaut...
Redhat Keycloak
5.4
CVSSv3
CVE-2020-1725
A flaw was found in keycloak before version 13.0.0. In some scenarios a user still has access to a resource after changing the role mappings in Keycloak and after expiration of the previous access token.
Redhat Keycloak
5.6
CVSSv3
CVE-2020-1744
A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle this ev...
Redhat Keycloak
5.3
CVSSv3
CVE-2020-10770
A flaw was found in Keycloak prior to 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an malicious user to use this parameter to execute a Server-side request forgery (SSRF) attack.
Redhat Keycloak
2 Github repositories
9.6
CVSSv3
CVE-2021-20195
A flaw was found in keycloak in versions prior to 13.0.0. A Self Stored XSS attack vector escalating to a complete account takeover is possible due to user-supplied data fields not being properly encoded and Javascript code being used to process the data. The highest threat from ...
Redhat Keycloak
4.3
CVSSv3
CVE-2021-3856
ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader. By sending requests for theme resources with a relative path from an external HTTP client, the client will receive the content of random files if availab...
Redhat Keycloak
4.9
CVSSv3
CVE-2020-1694
A flaw was found in all versions of Keycloak prior to 10.0.0, where the NodeJS adapter did not support the verify-token-audience. This flaw results in some users having access to sensitive information outside of their permissions.
Redhat Keycloak
6.1
CVSSv3
CVE-2022-1970
keycloak 18.0.0: open redirect in auth endpoint via the redirect_uri parameter.
Redhat Keycloak 18.0.0
1 Github repository
9.1
CVSSv3
CVE-2022-3782
keycloak: path traversal via double URL encoding. A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive inf...
Redhat Keycloak 20.0.2
6.1
CVSSv3
CVE-2014-3652
JBoss KeyCloak: Open redirect vulnerability via failure to validate the redirect URL.
Redhat Keycloak 1.0.1
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
encryption
CVE-2024-4331
CVE-2024-26925
arbitrary code
CVE-2006-4304
CVE-2024-25458
CVE-2024-27077
reflected XSS
CVE-2024-4059
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
1
2
3
4
5
6
7
8
9
NEXT »