CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2019-10169 – keycloak: script execution via UMA policy trigger
https://notcve.org/view.php?id=CVE-2019-10169
A flaw was found in Keycloak’s user-managed access interface, where it would permit a script to be set in the UMA policy. This flaw allows an authenticated attacker with UMA permissions to configure a malicious script to trigger and execute arbitrary code with the permissions of the user running application. Se encontró un fallo en la interfaz de acceso administrada por usuario de Keycloak, donde permitiría establecer un script en la política UMA. Este fallo permite a un atacante autenticado con permisos UMA configurar un script malicioso para activar y ejecutar código arbitrario con los permisos del usuario que ejecuta la aplicación. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10169 https://access.redhat.com/security/cve/CVE-2019-10169 https://bugzilla.redhat.com/show_bug.cgi?id=1721302 • CWE-267: Privilege Defined With Unsafe Actions •
CVSS: 5.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-1728 – keycloak: security headers missing on REST endpoints
https://notcve.org/view.php?id=CVE-2020-1728
A vulnerability was found in all versions of Keycloak where, the pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses. This does not directly lead to a security issue, yet it might aid attackers in their efforts to exploit other problems. The flaws unnecessarily make the servers more prone to Clickjacking, channel downgrade attacks and other similar client-based attack vectors. Se detectó una vulnerabilidad en todas las versiones de Keycloak donde, las páginas en el área Admin Console de la aplicación, carecen completamente de encabezados de seguridad HTTP generales en las respuestas HTTP. Esto no conlleva directamente a un problema de seguridad, sin embargo podría ayudar a atacantes en sus esfuerzos para explotar otros problemas. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1728 https://access.redhat.com/security/cve/CVE-2020-1728 https://bugzilla.redhat.com/show_bug.cgi?id=1800585 • CWE-358: Improperly Implemented Security Check for Standard CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-1744 – keycloak: failedLogin Event not sent to BruteForceProtector when using Post Login Flow with Conditional-OTP
https://notcve.org/view.php?id=CVE-2020-1744
A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle this events. Se descubrió un fallo en keycloak versiones anteriores a la versión 9.0.1. Cuando se configura un Conditional OTP Authentication Flow como un flujo posterior al inicio de sesión de un IDP, los eventos de inicio de sesión fallidos para OTP no son enviados hacia la cola de eventos de protección de fuerza bruta. • https://access.redhat.com/security/cve/CVE-2020-1744 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1744 https://bugzilla.redhat.com/show_bug.cgi?id=1805792 • CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2020-1697 – keycloak: stored XSS in client settings via application links
https://notcve.org/view.php?id=CVE-2020-1697
It was found in all keycloak versions before 9.0.0 that links to external applications (Application Links) in the admin console are not validated properly and could allow Stored XSS attacks. An authed malicious user could create URLs to trick users in other realms, and possibly conduct further attacks. Se encontró en todas las versiones de keycloak anteriores a 9.0.0 que los enlaces de aplicaciones externas (Application Links) en la consola de administración no están validados apropiadamente y podrían permitir ataques de tipo XSS almacenado. Un usuario malicioso autorizado podría crear una URL para engañar a los usuarios en otras esferas y posiblemente conducir nuevos ataques. A flaw was found during the assessment of the Admin Console application for Keycloak, where it was found that Application Links to external applications are not validated properly. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1697 https://access.redhat.com/security/cve/CVE-2020-1697 https://bugzilla.redhat.com/show_bug.cgi?id=1791538 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2019-14910
https://notcve.org/view.php?id=CVE-2019-14910
A vulnerability was found in keycloak 7.x, when keycloak is configured with LDAP user federation and StartTLS is used instead of SSL/TLS from the LDAP server (ldaps), in this case user authentication succeeds even if invalid password has entered. Se encontró una vulnerabilidad en keycloak versiones 7.x, cuando keycloak es configurado con LDAP user federation y StartTLS es usado en lugar de SSL/TLS desde el servidor LDAP (ldaps), en este caso la autenticación del usuario tiene éxito inclusive si una contraseña no válida se ha ingresado. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14910 • CWE-287: Improper Authentication CWE-295: Improper Certificate Validation CWE-305: Authentication Bypass by Primary Weakness CWE-592: DEPRECATED: Authentication Bypass Issues •