Filtered by vendor Redhat Subscriptions
Filtered by product Keycloak Subscriptions
Total 89 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2022-1245 1 Redhat 3 Keycloak, Red Hat Single Sign On, Rhosemc 2024-11-21 9.8 Critical
A privilege escalation flaw was found in the token exchange feature of keycloak. Missing authorization allows a client application holding a valid access token to exchange tokens for any target client by passing the client_id of the target. This could allow a client to gain unauthorized access to additional services.
CVE-2022-0225 1 Redhat 3 Keycloak, Red Hat Single Sign On, Single Sign-on 2024-11-21 5.4 Medium
A flaw was found in Keycloak. This flaw allows a privileged attacker to use the malicious payload as the group name while creating a new group from the admin console, leading to a stored Cross-site scripting (XSS) attack.
CVE-2021-4133 1 Redhat 3 Keycloak, Red Hat Single Sign On, Rhosemc 2024-11-21 8.8 High
A flaw was found in Keycloak in versions from 12.0.0 and before 15.1.1 which allows an attacker with any existing user account to create new default user accounts via the administrative REST API even when new user registration is disabled.
CVE-2021-3856 1 Redhat 2 Keycloak, Red Hat Single Sign On 2024-11-21 4.3 Medium
ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader. By sending requests for theme resources with a relative path from an external HTTP client, the client will receive the content of random files if available.
CVE-2021-3827 1 Redhat 6 Enterprise Linux, Keycloak, Openshift Container Platform and 3 more 2024-11-21 6.8 Medium
A flaw was found in keycloak, where the default ECP binding flow allows other authentication flows to be bypassed. By exploiting this behavior, an attacker can bypass the MFA authentication by sending a SOAP request with an AuthnRequest and Authorization header with the user's credentials. The highest threat from this vulnerability is to confidentiality and integrity.
CVE-2021-3754 1 Redhat 2 Keycloak, Single Sign-on 2024-11-21 5.3 Medium
A flaw was found in keycloak where an attacker is able to register himself with the username same as the email ID of any existing user. This may cause trouble in getting password recovery email in case the user forgets the password.
CVE-2021-3637 1 Redhat 3 Keycloak, Red Hat Single Sign On, Single Sign-on 2024-11-21 7.5 High
A flaw was found in keycloak-model-infinispan in keycloak versions before 14.0.0 where authenticationSessions map in RootAuthenticationSessionEntity grows boundlessly which could lead to a DoS attack.
CVE-2021-3632 1 Redhat 4 Enterprise Linux, Keycloak, Red Hat Single Sign On and 1 more 2024-11-21 7.5 High
A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow.
CVE-2021-3513 1 Redhat 2 Keycloak, Red Hat Single Sign On 2024-11-21 7.5 High
A flaw was found in keycloak where a brute force attack is possible even when the permanent lockout feature is enabled. This is due to a wrong error message displayed when wrong credentials are entered. The highest threat from this vulnerability is to confidentiality.
CVE-2021-3461 1 Redhat 3 Keycloak, Red Hat Single Sign On, Single Sign-on 2024-11-21 7.1 High
A flaw was found in keycloak where keycloak may fail to logout user session if the logout request comes from external SAML identity provider and Principal Type is set to Attribute [Name].
CVE-2021-20323 1 Redhat 2 Keycloak, Red Hat Single Sign On 2024-11-21 6.1 Medium
A POST based reflected Cross Site Scripting vulnerability on has been identified in Keycloak.
CVE-2021-20262 1 Redhat 2 Keycloak, Single Sign-on 2024-11-21 6.8 Medium
A flaw was found in Keycloak 12.0.0 where re-authentication does not occur while updating the password. This flaw allows an attacker to take over an account if they can obtain temporary, physical access to a user’s browser. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
CVE-2021-20222 1 Redhat 1 Keycloak 2024-11-21 7.5 High
A flaw was found in keycloak. The new account console in keycloak can allow malicious code to be executed using the referrer URL. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVE-2021-20202 1 Redhat 1 Keycloak 2024-11-21 7.3 High
A flaw was found in keycloak. Directories can be created prior to the Java process creating them in the temporary directory, but with wider user permissions, allowing the attacker to have access to the contents that keycloak stores in this directory. The highest threat from this vulnerability is to data confidentiality and integrity.
CVE-2021-20195 1 Redhat 1 Keycloak 2024-11-21 9.6 Critical
A flaw was found in keycloak in versions before 13.0.0. A Self Stored XSS attack vector escalating to a complete account takeover is possible due to user-supplied data fields not being properly encoded and Javascript code being used to process the data. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVE-2020-35509 1 Redhat 2 Keycloak, Red Hat Single Sign On 2024-11-21 5.4 Medium
A flaw was found in keycloak affecting versions 11.0.3 and 12.0.0. An expired certificate would be accepted by the direct-grant authenticator because of missing time stamp validations. The highest threat from this vulnerability is to data confidentiality and integrity.
CVE-2020-27838 1 Redhat 2 Keycloak, Single Sign-on 2024-11-21 6.5 Medium
A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this vulnerability is to data confidentiality.
CVE-2020-27826 1 Redhat 3 Keycloak, Red Hat Single Sign On, Single Sign-on 2024-11-21 4.2 Medium
A flaw was found in Keycloak before version 12.0.0 where it is possible to update the user's metadata attributes using Account REST API. This flaw allows an attacker to change its own NameID attribute to impersonate the admin user for any particular application.
CVE-2020-1758 1 Redhat 4 Jboss Single Sign On, Keycloak, Openstack and 1 more 2024-11-21 5.3 Medium
A flaw was found in Keycloak in versions before 10.0.0, where it does not perform the TLS hostname verification while sending emails using the SMTP server. This flaw allows an attacker to perform a man-in-the-middle (MITM) attack.
CVE-2020-1744 1 Redhat 4 Jboss Single Sign On, Keycloak, Openshift Application Runtimes and 1 more 2024-11-21 5.6 Medium
A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle this events.