CVE-2021-20323 – keycloak-services: POST based reflected Cross Site Scripting vulnerability
https://notcve.org/view.php?id=CVE-2021-20323
A POST based reflected Cross Site Scripting vulnerability on has been identified in Keycloak. Se ha identificado una vulnerabilidad de tipo Cross Site Scripting reflejado basada en POST en Keycloak A flaw has been found in Keycloak. The clients-registrations endpoint allows execution of javascript code on the client-side, which makes it vulnerable to a Cross-Site Scripting attack. • https://github.com/ndmalc/CVE-2021-20323 https://github.com/Cappricio-Securities/CVE-2021-20323 https://github.com/cscpwn0sec/CVE-2021-20323 https://bugzilla.redhat.com/show_bug.cgi?id=2013577 https://access.redhat.com/security/cve/CVE-2021-20323 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-3827 – CVE-2021-3827 keycloak-server-spi-private: ECP SAML binding bypasses authentication flows
https://notcve.org/view.php?id=CVE-2021-3827
A flaw was found in keycloak, where the default ECP binding flow allows other authentication flows to be bypassed. By exploiting this behavior, an attacker can bypass the MFA authentication by sending a SOAP request with an AuthnRequest and Authorization header with the user's credentials. The highest threat from this vulnerability is to confidentiality and integrity. Se ha encontrado un fallo en keycloak, en el que el flujo de vinculación ECP por defecto permite omitir otros flujos de autenticación. Al explotar este comportamiento, un atacante puede omitir la autenticación MFA mediante el envío de una petición SOAP con un encabezado AuthnRequest y Authorization con las credenciales del usuario. • https://access.redhat.com/security/cve/CVE-2021-3827 https://bugzilla.redhat.com/show_bug.cgi?id=2007512 https://github.com/keycloak/keycloak/commit/44000caaf5051d7f218d1ad79573bd3d175cad0d https://github.com/keycloak/keycloak/security/advisories/GHSA-4pc7-vqv5-5r3v • CWE-287: Improper Authentication •
CVE-2021-4133 – CVE-2021-4133 Keycloak: Incorrect authorization allows unpriviledged users to create other users
https://notcve.org/view.php?id=CVE-2021-4133
A flaw was found in Keycloak in versions from 12.0.0 and before 15.1.1 which allows an attacker with any existing user account to create new default user accounts via the administrative REST API even when new user registration is disabled. Se ha encontrado un fallo en Keycloak en las versiones a partir de la 12.0.0 y anteriores hasta 15.1.1, que permite a un atacante con cualquier cuenta de usuario existente crear nuevas cuentas de usuario por defecto por medio de la API REST administrativa incluso cuando el registro de nuevos usuarios está deshabilitado A flaw was found in Keycloak version from 12.0.0 and before 15.1.1 which allows an attacker with any existing user account to create new default user accounts via the administrative REST API even when new user registration is disabled. • https://bugzilla.redhat.com/show_bug.cgi?id=2033602 https://github.com/keycloak/keycloak/issues/9247 https://github.com/keycloak/keycloak/security/advisories/GHSA-83x4-9cwr-5487 https://www.oracle.com/security-alerts/cpuapr2022.html https://access.redhat.com/security/cve/CVE-2021-4133 • CWE-863: Incorrect Authorization •
CVE-2020-35509 – keycloak: X509 Direct Grant Auth does not verify certificate timestamp validity
https://notcve.org/view.php?id=CVE-2020-35509
A flaw was found in keycloak affecting versions 11.0.3 and 12.0.0. An expired certificate would be accepted by the direct-grant authenticator because of missing time stamp validations. The highest threat from this vulnerability is to data confidentiality and integrity. Se ha encontrado un fallo en keycloak afectado a versiones 11.0.3 y 12.0.0. Un certificado caducado sería aceptado por el autenticador de concesión directa debido a una falta de comprobaciones de la marca de tiempo. • https://access.redhat.com/security/cve/cve-2020-35509 https://access.redhat.com/security/cve/CVE-2020-35509 https://bugzilla.redhat.com/show_bug.cgi?id=1912427 • CWE-20: Improper Input Validation CWE-295: Improper Certificate Validation •
CVE-2021-3632 – keycloak: Anyone can register a new device when there is no device registered for passwordless login
https://notcve.org/view.php?id=CVE-2021-3632
A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow. Se ha encontrado un fallo en Keycloak. Esta vulnerabilidad permite a cualquiera registrar un nuevo dispositivo de seguridad o llave cuando no se presenta un dispositivo ya registrado para ningún usuario, al usar el flujo de inicio de sesión sin contraseña de WebAuthn. • https://access.redhat.com/security/cve/CVE-2021-3632 https://bugzilla.redhat.com/show_bug.cgi?id=1978196 https://github.com/keycloak/keycloak/commit/65480cb5a11630909c086f79d396004499fbd1e4 https://github.com/keycloak/keycloak/pull/8203 https://issues.redhat.com/browse/KEYCLOAK-18500 • CWE-287: Improper Authentication •