CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-10776 – keycloak: OIDC redirect_uri allows dangerous schemes resulting in potential XSS
https://notcve.org/view.php?id=CVE-2020-10776
A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack. Se encontró un fallo en Keycloak versiones anteriores a 12.0.0, donde es posible agregar esquemas no seguros para el parámetro redirect_uri. Este fallo permite a un atacante llevar a cabo un ataque de tipo Cross-site scripting A flaw was found in Keycloak, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack. • https://bugzilla.redhat.com/show_bug.cgi?id=1847428 https://access.redhat.com/security/cve/CVE-2020-10776 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-14389 – keycloak: user can manage resources with just "view-profile" role using new Account Console
https://notcve.org/view.php?id=CVE-2020-14389
It was found that Keycloak before version 12.0.0 would permit a user with only view-profile role to manage the resources in the new account console, allowing access and modification of data the user was not intended to have. Se detectó que Keycloak versiones anteriores a 12.0.0, permitiría a un usuario que sólo tuviera una función de perfil de visualización administrar los recursos en la nueva consola de cuentas, permitiendo un acceso y una modificación de unos datos que el usuario no estaba destinado a tener A flaw was found in Keycloak, where it would permit a user with a view-profile role to manage the resources in the new account console. This flaw allows a user with a view-profile role to access and modify data for which the user does not have adequate permission. • https://access.redhat.com/security/cve/cve-2020-14389 https://bugzilla.redhat.com/show_bug.cgi?id=1875843%2C https://access.redhat.com/security/cve/CVE-2020-14389 https://bugzilla.redhat.com/show_bug.cgi?id=1875843 • CWE-916: Use of Password Hash With Insufficient Computational Effort •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2020-10758 – keycloak: DoS by sending multiple simultaneous requests with a Content-Length header value greater than actual byte count of request body
https://notcve.org/view.php?id=CVE-2020-10758
A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the specified keycloak server, all with a Content-Length header value that exceeds the actual byte count of the request body. Se encontró una vulnerabilidad en Keycloak versiones anteriores a 11.0.1, donde el ataque de DoS es posible mediante el envío de veinte peticiones simultáneamente hacia el servidor de keycloak especificado, todas con un valor de encabezado Content-Length que excede el conteo de bytes real del cuerpo de la petición A flaw was found in Keycloak. This flaw allows an attacker to perform a denial of service attack by sending multiple simultaneous requests with a Content-Length header value greater than the actual byte count of the request body. The highest threat from this vulnerability is to system availability. • https://bugzilla.redhat.com/show_bug.cgi?id=1843849 https://github.com/keycloak/keycloak/commit/bee4ca89897766c4b68856eafe14f1a3dad34251 https://access.redhat.com/security/cve/CVE-2020-10758 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2020-1694 – keycloak: verify-token-audience support is missing in the NodeJS adapter
https://notcve.org/view.php?id=CVE-2020-1694
A flaw was found in all versions of Keycloak before 10.0.0, where the NodeJS adapter did not support the verify-token-audience. This flaw results in some users having access to sensitive information outside of their permissions. Se encontró un fallo en todas las versiones de Keycloak versiones anteriores a 10.0.0, donde el adaptador NodeJS no admitía la verify-token-audience. Este fallo hace que algunos usuarios tengan acceso a información confidencial fuera de sus permisos A flaw was found in Keycloak, where the NodeJS adapter did not support the verify-token-audience. This flaw results in some users having access to sensitive information outside of their permissions. • https://bugzilla.redhat.com/show_bug.cgi?id=1790759 https://access.redhat.com/security/cve/CVE-2020-1694 • CWE-183: Permissive List of Allowed Inputs CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-1727 – keycloak: missing input validation in IDP authorization URLs
https://notcve.org/view.php?id=CVE-2020-1727
A vulnerability was found in Keycloak before 9.0.2, where every Authorization URL that points to an IDP server lacks proper input validation as it allows a wide range of characters. This flaw allows a malicious to craft deep links that introduce further attack scenarios on affected clients. Se encontró una vulnerabilidad en Keycloak versiones anteriores a 9.0.2, donde cada URL de autorización que apunta a un servidor IDP que carece de una comprobación de entrada inapropiada, ya que permite una amplia gama de caracteres. Este fallo permite a un malicioso diseñar enlaces profundos que introducen escenarios de ataque adicionales en los clientes afectados A flaw was found in Keycloak, where every Authorization URL that points to an IDP server lacks proper input validation as it allows a wide range of characters. This flaw allows a malicious to craft deep links that introduce further attack scenarios on affected clients. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1727 https://access.redhat.com/security/cve/CVE-2020-1727 https://bugzilla.redhat.com/show_bug.cgi?id=1800573 • CWE-20: Improper Input Validation •