org.keycloak

174 tracked vulnerabilities.

CVE-2022-3782 CRITICAL
Keycloak - Path Traversal via Double URL Encoding
Jan 13, 2023
CVSS 9.1
EPSS 0.00
CVE-2022-2256 LOW
Red Hat Single Sign-On 7 - Stored Cross-Site Scripting in Admin Console via Default Roles
Sep 01, 2022
CVSS 3.8
EPSS 0.01
CVE-2022-0225 MEDIUM
Keycloak - Stored Cross-Site Scripting via Group Name in Admin Console
Aug 26, 2022
CVSS 5.4
EPSS 0.01
CVE-2022-2668 HIGH
Keycloak < 19.0.2 - Arbitrary JavaScript Upload via SAML Protocol Mapper
Aug 05, 2022
CVSS 7.2
EPSS 0.00
CVE-2022-1245 CRITICAL
Keycloak < 18.0.0 - Missing Authorization in Token Exchange
Jul 08, 2022
CVSS 9.8
EPSS 0.00
CVE-2022-1466 MEDIUM
Redhat Keycloak < 17.0.1 - Incorrect Authorization
Apr 26, 2022
CVSS 6.5
EPSS 0.00
CVE-2021-3856 MEDIUM
Keycloak < 15.1.0 - Unauthenticated Arbitrary File Read via Theme Resource Path Traversal
Aug 26, 2022
CVSS 4.3
EPSS 0.00
CVE-2021-3754 MEDIUM
Keycloak - Improper Input Validation in Username Registration
Aug 26, 2022
CVSS 5.3
EPSS 0.12
CVE-2021-3632 HIGH
Keycloak < 15.1.0 - Unauthenticated WebAuthn Device Registration
Aug 26, 2022
CVSS 7.5
EPSS 0.01
CVE-2021-3827 MEDIUM
Keycloak < 18.0.0 - Authentication Bypass via ECP Binding Flow
Aug 23, 2022
CVSS 6.8
EPSS 0.00
CVE-2021-3513 HIGH
Keycloak - Confidentiality Info Disclosure
Aug 22, 2022
CVSS 7.5
EPSS 0.00
CVE-2021-3461 HIGH
Keycloak - Insufficient Session Expiration via SAML Identity Provider Logout
Apr 01, 2022
CVSS 7.1
EPSS 0.00
CVE-2021-20323 MEDIUM NUCLEI
Keycloak < 17.0.0 - Reflected Cross-Site Scripting via POST Request
Mar 25, 2022
CVSS 6.1
EPSS 0.66
CVE-2021-4133 HIGH
Keycloak 12.0.0-15.1.0 - Incorrect Authorization via Administrative REST API
Jan 25, 2022
CVSS 8.8
EPSS 0.00
CVE-2021-3637 HIGH
Keycloak < 14.0.0 - Denial of Service via Authentication Session Map Growth
Jul 09, 2021
CVSS 7.5
EPSS 0.00
CVE-2021-3424 MEDIUM
Red Hat Single Sign-On 7.4 - IDN Homograph Attack via User Registration
Jun 01, 2021
CVSS 5.3
EPSS 0.00
CVE-2021-20195 CRITICAL
Keycloak < 13.0.0 - Stored Cross-Site Scripting via User-Supplied Data Fields
May 28, 2021
CVSS 9.6
EPSS 0.00
CVE-2021-20202 HIGH
Keycloak < 13.0.0 - Insecure Temporary File Permissions
May 12, 2021
CVSS 7.3
EPSS 0.00
CVE-2021-20222 HIGH
Keycloak 9.0.0-12.0.2 - Cross-Site Scripting via Referrer URL
Mar 23, 2021
CVSS 7.5
EPSS 0.00
CVE-2021-20262 MEDIUM
Keycloak 12.0.0 - Missing Authentication for Critical Function
Mar 09, 2021
CVSS 6.8
EPSS 0.00
CVE-2020-35509 MEDIUM
Keycloak 11.0.3 and 12.0.0 - Improper Certificate Validation in Direct-Grant Authenticator
Aug 23, 2022
CVSS 5.4
EPSS 0.00
CVE-2020-27826 MEDIUM
Keycloak <12.0.0 - Privilege Escalation
May 28, 2021
CVSS 4.2
EPSS 0.00
CVE-2020-27838 MEDIUM NUCLEI
Keycloak < 13.0.0 - Unauthenticated Information Disclosure via Client Registration Endpoint
Mar 08, 2021
CVSS 6.5
EPSS 0.85
CVE-2020-1717 LOW
Keycloak 7.0.1 - Account Email Enumeration via Error Message
Feb 11, 2021
CVSS 2.7
EPSS 0.00
CVE-2020-10734 LOW
Keycloak - Cross-Site Request Forgery in OIDC Logout Endpoint
Feb 11, 2021
CVSS 3.3
EPSS 0.00
Products
keycloak-services 74 keycloak-core 48 keycloak-parent 25 keycloak-quarkus-server 9 keycloak-server-spi-private 5 keycloak-ldap-federation 4 keycloak-saml-core 4 keycloak-model-jpa 3 keycloak-saml-adapter-core 3 keycloak-model-infinispan 2 keycloak-quarkus-dist 2 keycloak-account-ui 1 keycloak-adapter-core 1 keycloak-admin-ui 1 keycloak-authz-client 1 keycloak-broker-saml 1 keycloak-common 1 keycloak-js-admin-client 1 keycloak-model-storage-services 1 keycloak-oidc-client-adapter-pom 1
Quick Filters
Critical CVEs With Exploits In CISA KEV