CVSS: 5.9EPSS: 0%CPEs: 2EXPL: 0CVE-2020-1758 – keycloak: improper verification of certificate with host mismatch could result in information disclosure
https://notcve.org/view.php?id=CVE-2020-1758
12 May 2020 — A flaw was found in Keycloak in versions before 10.0.0, where it does not perform the TLS hostname verification while sending emails using the SMTP server. This flaw allows an attacker to perform a man-in-the-middle (MITM) attack. Se encontró un fallo en Keycloak en versiones anteriores a 10.0.0, donde no se lleva a cabo una verificación del nombre de host TLS mientras se envía correos electrónicos utilizando el servidor SMTP. Este fallo permite a un atacante llevar a cabo un ataque de tipo man-in-the-middl... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1758 • CWE-295: Improper Certificate Validation CWE-297: Improper Validation of Certificate with Host Mismatch •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2020-1724 – keycloak: problem with privacy after user logout
https://notcve.org/view.php?id=CVE-2020-1724
11 May 2020 — A flaw was found in Keycloak in versions before 9.0.2. This flaw allows a malicious user that is currently logged in, to see the personal information of a previously logged out user in the account manager section. Se encontró un fallo en Keycloak en versiones anteriores a 9.0.2. Este fallo permite a un usuario malicioso que actualmente está registrado, visualizar la información personal de un usuario que previamente a cerrado sesión en la sección del administrador de la cuenta. A flaw was found in Keycloak.... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1724 • CWE-613: Insufficient Session Expiration •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-1698 – keycloak: Password leak by logged exception in HttpMethod class
https://notcve.org/view.php?id=CVE-2020-1698
11 May 2020 — A flaw was found in keycloak in versions before 9.0.0. A logged exception in the HttpMethod class may leak the password given as parameter. The highest threat from this vulnerability is to data confidentiality. Se detectó un fallo en keycloak en versiones anteriores a 9.0.0. Una excepción registrada en la clase HttpMethod puede filtrar la contraseña dada como parámetro. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1698 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2019-10170 – keycloak: script execution via realm management policy trigger
https://notcve.org/view.php?id=CVE-2019-10170
08 May 2020 — A flaw was found in the Keycloak admin console, where the realm management interface permits a script to be set via the policy. This flaw allows an attacker with authenticated user and realm management permissions to configure a malicious script to trigger and execute arbitrary code with the permissions of the application user. Se encontró un fallo en la consola de administración de Keycloak, donde la interfaz de administración de un realm permite establecer un script por medio de la política. Este fallo pe... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10170 • CWE-267: Privilege Defined With Unsafe Actions •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2019-10169 – keycloak: script execution via UMA policy trigger
https://notcve.org/view.php?id=CVE-2019-10169
08 May 2020 — A flaw was found in Keycloak’s user-managed access interface, where it would permit a script to be set in the UMA policy. This flaw allows an authenticated attacker with UMA permissions to configure a malicious script to trigger and execute arbitrary code with the permissions of the user running application. Se encontró un fallo en la interfaz de acceso administrada por usuario de Keycloak, donde permitiría establecer un script en la política UMA. Este fallo permite a un atacante autenticado con permisos UM... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10169 • CWE-267: Privilege Defined With Unsafe Actions •
CVSS: 5.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-1728 – keycloak: security headers missing on REST endpoints
https://notcve.org/view.php?id=CVE-2020-1728
06 Apr 2020 — A vulnerability was found in all versions of Keycloak where, the pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses. This does not directly lead to a security issue, yet it might aid attackers in their efforts to exploit other problems. The flaws unnecessarily make the servers more prone to Clickjacking, channel downgrade attacks and other similar client-based attack vectors. Se detectó una vulnerabilidad en todas las versiones de Keyclo... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1728 • CWE-358: Improperly Implemented Security Check for Standard CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-1744 – keycloak: failedLogin Event not sent to BruteForceProtector when using Post Login Flow with Conditional-OTP
https://notcve.org/view.php?id=CVE-2020-1744
24 Mar 2020 — A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle this events. Se descubrió un fallo en keycloak versiones anteriores a la versión 9.0.1. Cuando se configura un Conditional OTP Authentication Flow como un flujo posterior al inicio de sesión de un IDP, los eventos de inicio de sesión falli... • https://access.redhat.com/security/cve/CVE-2020-1744 • CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2020-1697 – keycloak: stored XSS in client settings via application links
https://notcve.org/view.php?id=CVE-2020-1697
10 Feb 2020 — It was found in all keycloak versions before 9.0.0 that links to external applications (Application Links) in the admin console are not validated properly and could allow Stored XSS attacks. An authed malicious user could create URLs to trick users in other realms, and possibly conduct further attacks. Se encontró en todas las versiones de keycloak anteriores a 9.0.0 que los enlaces de aplicaciones externas (Application Links) en la consola de administración no están validados apropiadamente y podrían permi... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1697 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2014-3652
https://notcve.org/view.php?id=CVE-2014-3652
15 Dec 2019 — JBoss KeyCloak: Open redirect vulnerability via failure to validate the redirect URL. JBoss KeyCloak: una vulnerabilidad de redireccionamiento abierto por falta de comprobación de la URL de redireccionamiento. • https://access.redhat.com/security/cve/cve-2014-3652 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 1CVE-2019-14837 – keycloak: keycloak uses hardcoded open dummy domain for new accounts enabling information disclosure
https://notcve.org/view.php?id=CVE-2019-14837
02 Dec 2019 — A flaw was found in keycloack before version 8.0.0. The owner of 'placeholder.org' domain can setup mail server on this domain and knowing only name of a client can reset password and then log in. For example, for client name 'test' the email address will be 'service-account-test@placeholder.org'. Se encontró un fallo en keycloack versiones anteriores a la versión 8.0.0. El propietario del dominio "placeholder.org" puede configurar el servidor de correo sobre este dominio y conociendo solo el nombre de un c... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14837 • CWE-547: Use of Hard-coded, Security-relevant Constants CWE-798: Use of Hard-coded Credentials •