CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2020-1694 – keycloak: verify-token-audience support is missing in the NodeJS adapter
https://notcve.org/view.php?id=CVE-2020-1694
02 Jul 2020 — A flaw was found in all versions of Keycloak before 10.0.0, where the NodeJS adapter did not support the verify-token-audience. This flaw results in some users having access to sensitive information outside of their permissions. Se encontró un fallo en todas las versiones de Keycloak versiones anteriores a 10.0.0, donde el adaptador NodeJS no admitía la verify-token-audience. Este fallo hace que algunos usuarios tengan acceso a información confidencial fuera de sus permisos A flaw was found in Keycloak... • https://bugzilla.redhat.com/show_bug.cgi?id=1790759 • CWE-183: Permissive List of Allowed Inputs CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-1727 – keycloak: missing input validation in IDP authorization URLs
https://notcve.org/view.php?id=CVE-2020-1727
01 Jun 2020 — A vulnerability was found in Keycloak before 9.0.2, where every Authorization URL that points to an IDP server lacks proper input validation as it allows a wide range of characters. This flaw allows a malicious to craft deep links that introduce further attack scenarios on affected clients. Se encontró una vulnerabilidad en Keycloak versiones anteriores a 9.0.2, donde cada URL de autorización que apunta a un servidor IDP que carece de una comprobación de entrada inapropiada, ya que permite una amplia gama d... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1727 • CWE-20: Improper Input Validation •
CVSS: 8.8EPSS: 1%CPEs: 7EXPL: 0CVE-2020-1714 – keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution
https://notcve.org/view.php?id=CVE-2020-1714
13 May 2020 — A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution. Se detectó un fallo en Keycloak versiones anteriores a 11.0.0, donde la base de código contiene usos de la función ObjectInputStream sin ningún tipo de comprobaciones. Este fallo permite a un atacante ... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1714 • CWE-20: Improper Input Validation •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2020-1718 – keycloak: security issue on reset credential flow
https://notcve.org/view.php?id=CVE-2020-1718
12 May 2020 — A flaw was found in the reset credential flow in all Keycloak versions before 8.0.0. This flaw allows an attacker to gain unauthorized access to the application. Se encontró un fallo en el flujo de restablecimiento de credenciales en todas las versiones de Keycloak versiones anteriores a 8.0.0. Este fallo permite a un atacante obtener acceso no autorizado a la aplicación. A flaw was found in the reset credential flow in Keycloak. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1718 • CWE-287: Improper Authentication •
CVSS: 5.9EPSS: 0%CPEs: 2EXPL: 0CVE-2020-1758 – keycloak: improper verification of certificate with host mismatch could result in information disclosure
https://notcve.org/view.php?id=CVE-2020-1758
12 May 2020 — A flaw was found in Keycloak in versions before 10.0.0, where it does not perform the TLS hostname verification while sending emails using the SMTP server. This flaw allows an attacker to perform a man-in-the-middle (MITM) attack. Se encontró un fallo en Keycloak en versiones anteriores a 10.0.0, donde no se lleva a cabo una verificación del nombre de host TLS mientras se envía correos electrónicos utilizando el servidor SMTP. Este fallo permite a un atacante llevar a cabo un ataque de tipo man-in-the-middl... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1758 • CWE-295: Improper Certificate Validation CWE-297: Improper Validation of Certificate with Host Mismatch •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2020-1724 – keycloak: problem with privacy after user logout
https://notcve.org/view.php?id=CVE-2020-1724
11 May 2020 — A flaw was found in Keycloak in versions before 9.0.2. This flaw allows a malicious user that is currently logged in, to see the personal information of a previously logged out user in the account manager section. Se encontró un fallo en Keycloak en versiones anteriores a 9.0.2. Este fallo permite a un usuario malicioso que actualmente está registrado, visualizar la información personal de un usuario que previamente a cerrado sesión en la sección del administrador de la cuenta. A flaw was found in Keycloak.... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1724 • CWE-613: Insufficient Session Expiration •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-1698 – keycloak: Password leak by logged exception in HttpMethod class
https://notcve.org/view.php?id=CVE-2020-1698
11 May 2020 — A flaw was found in keycloak in versions before 9.0.0. A logged exception in the HttpMethod class may leak the password given as parameter. The highest threat from this vulnerability is to data confidentiality. Se detectó un fallo en keycloak en versiones anteriores a 9.0.0. Una excepción registrada en la clase HttpMethod puede filtrar la contraseña dada como parámetro. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1698 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2019-10170 – keycloak: script execution via realm management policy trigger
https://notcve.org/view.php?id=CVE-2019-10170
08 May 2020 — A flaw was found in the Keycloak admin console, where the realm management interface permits a script to be set via the policy. This flaw allows an attacker with authenticated user and realm management permissions to configure a malicious script to trigger and execute arbitrary code with the permissions of the application user. Se encontró un fallo en la consola de administración de Keycloak, donde la interfaz de administración de un realm permite establecer un script por medio de la política. Este fallo pe... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10170 • CWE-267: Privilege Defined With Unsafe Actions •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2019-10169 – keycloak: script execution via UMA policy trigger
https://notcve.org/view.php?id=CVE-2019-10169
08 May 2020 — A flaw was found in Keycloak’s user-managed access interface, where it would permit a script to be set in the UMA policy. This flaw allows an authenticated attacker with UMA permissions to configure a malicious script to trigger and execute arbitrary code with the permissions of the user running application. Se encontró un fallo en la interfaz de acceso administrada por usuario de Keycloak, donde permitiría establecer un script en la política UMA. Este fallo permite a un atacante autenticado con permisos UM... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10169 • CWE-267: Privilege Defined With Unsafe Actions •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2020-10686
https://notcve.org/view.php?id=CVE-2020-10686
04 May 2020 — A flaw was found in Keycloak version 8.0.2 and 9.0.0, and was fixed in Keycloak version 9.0.1, where a malicious user registers as oneself. The attacker could then use the remove devices form to post different credential IDs and possibly remove MFA devices for other users. Se encontró un fallo en Keycloak versión 8.0.2 y 9.0.0, y se corrigió en Keycloak versión 9.0.1, donde un usuario malicioso se registra como uno mismo. El atacante podría luego usar el formulario de eliminar dispositivos para publicar dif... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10686 • CWE-285: Improper Authorization •