Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
keycloak vulnerabilities and exploits
(subscribe to this query)
4.9
CVSSv3
CVE-2020-1694
A flaw was found in all versions of Keycloak prior to 10.0.0, where the NodeJS adapter did not support the verify-token-audience. This flaw results in some users having access to sensitive information outside of their permissions.
Redhat Keycloak
5.4
CVSSv3
CVE-2020-1727
A vulnerability was found in Keycloak prior to 9.0.2, where every Authorization URL that points to an IDP server lacks proper input validation as it allows a wide range of characters. This flaw allows a malicious to craft deep links that introduce further attack scenarios on affe...
Redhat Keycloak
5.6
CVSSv3
CVE-2020-1744
A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle this ev...
Redhat Keycloak
4.9
CVSSv3
CVE-2020-14302
A flaw was found in Keycloak prior to 13.0.0 where an external identity provider, after successful authentication, redirects to a Keycloak endpoint that accepts multiple invocations with the use of the same "state" parameter. This flaw allows a malicious user to perform...
Redhat Keycloak
7.5
CVSSv3
CVE-2021-3513
A flaw was found in keycloak where a brute force attack is possible even when the permanent lockout feature is enabled. This is due to a wrong error message displayed when wrong credentials are entered. The highest threat from this vulnerability is to confidentiality.
Redhat Keycloak
7.5
CVSSv3
CVE-2019-14832
A flaw was found in the Keycloak REST API before version 8.0.0 where it would permit user access from a realm the user was not configured. An authenticated attacker with knowledge of a user id could use this flaw to access unauthorized information or to carry out further attacks.
Redhat Keycloak
9.6
CVSSv3
CVE-2021-20195
A flaw was found in keycloak in versions prior to 13.0.0. A Self Stored XSS attack vector escalating to a complete account takeover is possible due to user-supplied data fields not being properly encoded and Javascript code being used to process the data. The highest threat from ...
Redhat Keycloak
8.8
CVSSv3
CVE-2023-4918
A flaw was found in the Keycloak package, more specifically org.keycloak.userprofile. When a user registers itself through registration flow, the "password" and "password-confirm" field from the form will occur as regular user attributes. All users and clients...
Redhat Keycloak 22.0.2
9.1
CVSSv3
CVE-2022-3782
keycloak: path traversal via double URL encoding. A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive inf...
Redhat Keycloak 20.0.2
9.8
CVSSv3
CVE-2023-24456
Jenkins Keycloak Authentication Plugin 2.3.0 and previous versions does not invalidate the previous session on login.
Jenkins Keycloak Authentication
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-33572
CVE-2024-24919
CVE-2024-0230
CVE-2024-32714
HTML injection
local file inclusion
CVE-2024-31098
CVE-2024-31244
privilege
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
1
2
3
4
5
6
7
8
9
NEXT »