CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 2CVE-2022-1466 – keycloak: Improper authorization for master realm
https://notcve.org/view.php?id=CVE-2022-1466
26 Apr 2022 — Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted. Debido a una autorización inapropiada, Red Hat Single Sign-On es vulnerable a que usuarios lleven a cabo acciones que no deberían estar autorizados a realizar. Era posible añadir usuarios al reino maestro aunque no sea concedido el permiso correspondiente A flaw was found ... • https://bugzilla.redhat.com/show_bug.cgi?id=2050228 • CWE-863: Incorrect Authorization CWE-1220: Insufficient Granularity of Access Control •
CVSS: 6.1EPSS: 70%CPEs: 1EXPL: 3CVE-2021-20323 – keycloak-services: POST based reflected Cross Site Scripting vulnerability
https://notcve.org/view.php?id=CVE-2021-20323
25 Mar 2022 — A POST based reflected Cross Site Scripting vulnerability on has been identified in Keycloak. Se ha identificado una vulnerabilidad de tipo Cross Site Scripting reflejado basada en POST en Keycloak A flaw has been found in Keycloak. The clients-registrations endpoint allows execution of javascript code on the client-side, which makes it vulnerable to a Cross-Site Scripting attack. • https://github.com/ndmalc/CVE-2021-20323 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 8EXPL: 0CVE-2021-3827 – keycloak-server-spi-private: ECP SAML binding bypasses authentication flows
https://notcve.org/view.php?id=CVE-2021-3827
18 Jan 2022 — A flaw was found in keycloak, where the default ECP binding flow allows other authentication flows to be bypassed. By exploiting this behavior, an attacker can bypass the MFA authentication by sending a SOAP request with an AuthnRequest and Authorization header with the user's credentials. The highest threat from this vulnerability is to confidentiality and integrity. Se ha encontrado un fallo en keycloak, en el que el flujo de vinculación ECP por defecto permite omitir otros flujos de autenticación. Al exp... • https://access.redhat.com/security/cve/CVE-2021-3827 • CWE-287: Improper Authentication •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-4133 – Keycloak: Incorrect authorization allows unpriviledged users to create other users
https://notcve.org/view.php?id=CVE-2021-4133
21 Dec 2021 — A flaw was found in Keycloak in versions from 12.0.0 and before 15.1.1 which allows an attacker with any existing user account to create new default user accounts via the administrative REST API even when new user registration is disabled. Se ha encontrado un fallo en Keycloak en las versiones a partir de la 12.0.0 y anteriores hasta 15.1.1, que permite a un atacante con cualquier cuenta de usuario existente crear nuevas cuentas de usuario por defecto por medio de la API REST administrativa incluso cuando e... • https://bugzilla.redhat.com/show_bug.cgi?id=2033602 • CWE-863: Incorrect Authorization •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-3513 – keycloak: Brute force attack is possible even after the account lockout
https://notcve.org/view.php?id=CVE-2021-3513
14 Sep 2021 — A flaw was found in keycloak where a brute force attack is possible even when the permanent lockout feature is enabled. This is due to a wrong error message displayed when wrong credentials are entered. The highest threat from this vulnerability is to confidentiality. Se ha encontrado un fallo en keycloak por el que es posible realizar un ataque de fuerza bruta incluso cuando la función de bloqueo permanente está habilitada. Esto es debido a un mensaje de error que es mostrado cuando son introducidos creden... • https://access.redhat.com/security/cve/CVE-2021-3513 • CWE-209: Generation of Error Message Containing Sensitive Information CWE-522: Insufficiently Protected Credentials •
CVSS: 7.6EPSS: 0%CPEs: 6EXPL: 0CVE-2021-3632 – keycloak: Anyone can register a new device when there is no device registered for passwordless login
https://notcve.org/view.php?id=CVE-2021-3632
14 Sep 2021 — A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow. Se ha encontrado un fallo en Keycloak. Esta vulnerabilidad permite a cualquiera registrar un nuevo dispositivo de seguridad o llave cuando no se presenta un dispositivo ya registrado para ningún usuario, al usar el flujo de inicio de sesión sin contraseña de WebAuthn. Red Hat Single Sign-On 7.4 is a ... • https://access.redhat.com/security/cve/CVE-2021-3632 • CWE-287: Improper Authentication •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2020-35509 – keycloak: X509 Direct Grant Auth does not verify certificate timestamp validity
https://notcve.org/view.php?id=CVE-2020-35509
14 Sep 2021 — A flaw was found in keycloak affecting versions 11.0.3 and 12.0.0. An expired certificate would be accepted by the direct-grant authenticator because of missing time stamp validations. The highest threat from this vulnerability is to data confidentiality and integrity. Se ha encontrado un fallo en keycloak afectado a versiones 11.0.3 y 12.0.0. Un certificado caducado sería aceptado por el autenticador de concesión directa debido a una falta de comprobaciones de la marca de tiempo. • https://access.redhat.com/security/cve/cve-2020-35509 • CWE-20: Improper Input Validation CWE-295: Improper Certificate Validation •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-3637 – keycloak-model-infinispan: authenticationSessions map in RootAuthenticationSessionEntity grows boundlessly could lead to a DoS attack
https://notcve.org/view.php?id=CVE-2021-3637
09 Jul 2021 — A flaw was found in keycloak-model-infinispan in keycloak versions before 14.0.0 where authenticationSessions map in RootAuthenticationSessionEntity grows boundlessly which could lead to a DoS attack. Se ha encontrado un fallo en keycloak-model-infinispan en keycloak versiones anteriores a 14.0.0, donde el mapa authenticationSessions en RootAuthenticationSessionEntity crece ilimitadamente, lo que podría conllevar a un ataque de DoS A flaw was found in keycloak-model-infinispan where the authenticationSessio... • https://bugzilla.redhat.com/show_bug.cgi?id=1979638 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 0CVE-2021-20195
https://notcve.org/view.php?id=CVE-2021-20195
28 May 2021 — A flaw was found in keycloak in versions before 13.0.0. A Self Stored XSS attack vector escalating to a complete account takeover is possible due to user-supplied data fields not being properly encoded and Javascript code being used to process the data. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. Se encontró un fallo en keycloak en versiones anteriores a 13.0.0. Es posible que se produzca un vector de ataque de tipo XSS Autoalmacen... • https://bugzilla.redhat.com/show_bug.cgi?id=1919143 • CWE-20: Improper Input Validation CWE-116: Improper Encoding or Escaping of Output •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2021-3461 – keycloak: Backchannel logout not working when Principal Type is set to Attribute Name for external SAML IDP
https://notcve.org/view.php?id=CVE-2021-3461
20 May 2021 — A flaw was found in keycloak where keycloak may fail to logout user session if the logout request comes from external SAML identity provider and Principal Type is set to Attribute [Name]. Se ha encontrado un fallo en keycloak por el que keycloak puede fallar al cerrar la sesión del usuario si la petición de cierre de sesión proviene de un proveedor de identidad SAML externo y el tipo de principal está configurado como atributo [nombre] Red Hat Single Sign-On 7.4 is a standalone server, based on the Keycloak... • https://bugzilla.redhat.com/show_bug.cgi?id=1941565 • CWE-613: Insufficient Session Expiration •