Page 5 of 35 results (0.008 seconds)

CVSS: 4.9EPSS: 0%CPEs: 4EXPL: 0

A flaw was found in Keycloak before version 12.0.0 where it is possible to update the user's metadata attributes using Account REST API. This flaw allows an attacker to change its own NameID attribute to impersonate the admin user for any particular application. Se encontró un fallo en Keycloak versiones anteriores a 12.0.0, donde es posible actualizar los atributos de metadatos del usuario usando la API REST de la cuenta. Este fallo permite a un atacante cambiar su propio atributo NameID para hacerse pasar por el usuario administrador de cualquier aplicación en particular • https://bugzilla.redhat.com/show_bug.cgi?id=1905089 https://access.redhat.com/security/cve/CVE-2020-27826 • CWE-250: Execution with Unnecessary Privileges •

CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0

A flaw was found in Keycloak before 13.0.0 where an external identity provider, after successful authentication, redirects to a Keycloak endpoint that accepts multiple invocations with the use of the same "state" parameter. This flaw allows a malicious user to perform replay attacks. Se encontró un fallo en Keycloak versiones anteriores a 13.0.0, donde un proveedor de identidad externo, después de una autenticación con éxito, redirecciona un endpoint hacia Keycloak que acepta múltiples invocaciones con el uso del mismo parámetro "state". Este fallo permite a un usuario malicioso llevar a cabo ataques de reproducción A flaw was found in Keycloak, where an external identity provider, after successful authentication, redirects to a Keycloak endpoint that accepts multiple invocations with the use of the same "state" parameter. This flaw allows a malicious user to perform replay attacks. • https://bugzilla.redhat.com/show_bug.cgi?id=1849584 https://access.redhat.com/security/cve/CVE-2020-14302 • CWE-294: Authentication Bypass by Capture-replay •

CVSS: 5.8EPSS: 20%CPEs: 1EXPL: 3

A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack. Se encontró un fallo en Keycloak versiones anteriores a 13.0.0, donde es posible forzar al servidor a llamar a una URL no verificada usando el parámetro OIDC request_uri. Este fallo permite a un atacante usar este parámetro para ejecutar un ataque de tipo Server-side request forgery (SSRF) A flaw was found in Keycloak, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack. • https://www.exploit-db.com/exploits/50405 https://github.com/ColdFusionX/Keycloak-12.0.1-CVE-2020-10770 http://packetstormsecurity.com/files/164499/Keycloak-12.0.1-Server-Side-Request-Forgery.html https://bugzilla.redhat.com/show_bug.cgi?id=1846270 https://access.redhat.com/security/cve/CVE-2020-10770 • CWE-918: Server-Side Request Forgery (SSRF) •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

A vulnerability was found in keycloak, where path traversal using URL-encoded path segments in the request is possible because the resources endpoint applies a transformation of the url path to the file path. Only few specific folder hierarchies can be exposed by this flaw Se encontró una vulnerabilidad en keycloak, donde es posible un salto de ruta usando segmentos de ruta codificados con una URL en la petición porque el endpoint de recursos aplica una transformación de la ruta de la URL a la ruta del archivo. Solo algunas jerarquías de carpetas específicas pueden ser expuestas con este fallo A flaw was found in keycloak. A path traversal, using URL-encoded path segments in a request, is possible due to transformation of the URL path to a file path at the resource endpoint. The highest threat from this vulnerability is to data confidentiality. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14366 https://access.redhat.com/security/cve/CVE-2020-14366 https://bugzilla.redhat.com/show_bug.cgi?id=1869764 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0

A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack. Se encontró un fallo en Keycloak versiones anteriores a 12.0.0, donde es posible agregar esquemas no seguros para el parámetro redirect_uri. Este fallo permite a un atacante llevar a cabo un ataque de tipo Cross-site scripting A flaw was found in Keycloak, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack. • https://bugzilla.redhat.com/show_bug.cgi?id=1847428 https://access.redhat.com/security/cve/CVE-2020-10776 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •