CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2020-14302 – keycloak: reusable "state" parameter at redirect_uri endpoint enables possibility of replay attacks
https://notcve.org/view.php?id=CVE-2020-14302
15 Dec 2020 — A flaw was found in Keycloak before 13.0.0 where an external identity provider, after successful authentication, redirects to a Keycloak endpoint that accepts multiple invocations with the use of the same "state" parameter. This flaw allows a malicious user to perform replay attacks. Se encontró un fallo en Keycloak versiones anteriores a 13.0.0, donde un proveedor de identidad externo, después de una autenticación con éxito, redirecciona un endpoint hacia Keycloak que acepta múltiples invocaciones con el u... • https://bugzilla.redhat.com/show_bug.cgi?id=1849584 • CWE-294: Authentication Bypass by Capture-replay •
CVSS: 5.8EPSS: 92%CPEs: 1EXPL: 4CVE-2020-10770 – Keycloak 12.0.1 - 'request_uri ' Blind Server-Side Request Forgery (SSRF) (Unauthenticated)
https://notcve.org/view.php?id=CVE-2020-10770
15 Dec 2020 — A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack. Se encontró un fallo en Keycloak versiones anteriores a 13.0.0, donde es posible forzar al servidor a llamar a una URL no verificada usando el parámetro OIDC request_uri. Este fallo permite a un atacante usar este parámetro para ejecutar un ataque... • https://packetstorm.news/files/id/164499 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-14366 – keycloak: path traversal in resources
https://notcve.org/view.php?id=CVE-2020-14366
09 Nov 2020 — A vulnerability was found in keycloak, where path traversal using URL-encoded path segments in the request is possible because the resources endpoint applies a transformation of the url path to the file path. Only few specific folder hierarchies can be exposed by this flaw Se encontró una vulnerabilidad en keycloak, donde es posible un salto de ruta usando segmentos de ruta codificados con una URL en la petición porque el endpoint de recursos aplica una transformación de la ruta de la URL a la ruta del arch... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14366 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-14389 – keycloak: user can manage resources with just "view-profile" role using new Account Console
https://notcve.org/view.php?id=CVE-2020-14389
05 Nov 2020 — It was found that Keycloak before version 12.0.0 would permit a user with only view-profile role to manage the resources in the new account console, allowing access and modification of data the user was not intended to have. Se detectó que Keycloak versiones anteriores a 12.0.0, permitiría a un usuario que sólo tuviera una función de perfil de visualización administrar los recursos en la nueva consola de cuentas, permitiendo un acceso y una modificación de unos datos que el usuario no estaba destinado a ten... • https://access.redhat.com/security/cve/cve-2020-14389 • CWE-916: Use of Password Hash With Insufficient Computational Effort •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-10776 – keycloak: OIDC redirect_uri allows dangerous schemes resulting in potential XSS
https://notcve.org/view.php?id=CVE-2020-10776
05 Nov 2020 — A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack. Se encontró un fallo en Keycloak versiones anteriores a 12.0.0, donde es posible agregar esquemas no seguros para el parámetro redirect_uri. Este fallo permite a un atacante llevar a cabo un ataque de tipo Cross-site scripting A flaw was found in Keycloak, where it is possible to add unsafe schemes for the redire... • https://bugzilla.redhat.com/show_bug.cgi?id=1847428 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2020-10758 – keycloak: DoS by sending multiple simultaneous requests with a Content-Length header value greater than actual byte count of request body
https://notcve.org/view.php?id=CVE-2020-10758
19 Aug 2020 — A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the specified keycloak server, all with a Content-Length header value that exceeds the actual byte count of the request body. Se encontró una vulnerabilidad en Keycloak versiones anteriores a 11.0.1, donde el ataque de DoS es posible mediante el envío de veinte peticiones simultáneamente hacia el servidor de keycloak especificado, todas con un valor de encabezado Content-Length que e... • https://bugzilla.redhat.com/show_bug.cgi?id=1843849 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2020-1694 – keycloak: verify-token-audience support is missing in the NodeJS adapter
https://notcve.org/view.php?id=CVE-2020-1694
02 Jul 2020 — A flaw was found in all versions of Keycloak before 10.0.0, where the NodeJS adapter did not support the verify-token-audience. This flaw results in some users having access to sensitive information outside of their permissions. Se encontró un fallo en todas las versiones de Keycloak versiones anteriores a 10.0.0, donde el adaptador NodeJS no admitía la verify-token-audience. Este fallo hace que algunos usuarios tengan acceso a información confidencial fuera de sus permisos A flaw was found in Keycloak... • https://bugzilla.redhat.com/show_bug.cgi?id=1790759 • CWE-183: Permissive List of Allowed Inputs CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-1727 – keycloak: missing input validation in IDP authorization URLs
https://notcve.org/view.php?id=CVE-2020-1727
01 Jun 2020 — A vulnerability was found in Keycloak before 9.0.2, where every Authorization URL that points to an IDP server lacks proper input validation as it allows a wide range of characters. This flaw allows a malicious to craft deep links that introduce further attack scenarios on affected clients. Se encontró una vulnerabilidad en Keycloak versiones anteriores a 9.0.2, donde cada URL de autorización que apunta a un servidor IDP que carece de una comprobación de entrada inapropiada, ya que permite una amplia gama d... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1727 • CWE-20: Improper Input Validation •
CVSS: 8.8EPSS: 1%CPEs: 7EXPL: 0CVE-2020-1714 – keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution
https://notcve.org/view.php?id=CVE-2020-1714
13 May 2020 — A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution. Se detectó un fallo en Keycloak versiones anteriores a 11.0.0, donde la base de código contiene usos de la función ObjectInputStream sin ningún tipo de comprobaciones. Este fallo permite a un atacante ... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1714 • CWE-20: Improper Input Validation •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2020-1718 – keycloak: security issue on reset credential flow
https://notcve.org/view.php?id=CVE-2020-1718
12 May 2020 — A flaw was found in the reset credential flow in all Keycloak versions before 8.0.0. This flaw allows an attacker to gain unauthorized access to the application. Se encontró un fallo en el flujo de restablecimiento de credenciales en todas las versiones de Keycloak versiones anteriores a 8.0.0. Este fallo permite a un atacante obtener acceso no autorizado a la aplicación. A flaw was found in the reset credential flow in Keycloak. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1718 • CWE-287: Improper Authentication •