Keycloak Core Licenses and Vulnerabilities

Keycloak Core Vulnerabilities

Sort by

CVE (Latest)

CVE (Latest)
CVE (Oldest)
CVSS Score (Highest)
CVSS Score (Lowest)

CVE	CVSS Score	CWE(s)	EPSS Score	EPSS %	Impacted Versions
CVE-2017-1000500	High 8.8	CWE-290, CWE-640, CWE-602	0.00266	0.67152	3.0.0.CR1–3.4.1.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2017-12161	High 8.8	CWE-290, CWE-640, CWE-602	0.0027	0.67398	3.0.0.CR1–3.4.1.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2018-10894	Medium 5.4	CWE-295	0.00087	0.389	3.0.0.CR1–3.4.2.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2018-10912	Medium 4.9	CWE-835	0.00088	0.39007	4.0.0.Beta1–4.0.0.Beta3 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2018-14637	Medium 6.1	CWE-287, CWE-285	0.00218	0.59481	4.0.0.Beta1–4.5.0.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2018-14655	Medium 5.4	CWE-79	0.00098	0.41737	26.0.0–26.0.7 25.0.0–25.0.6 24.0.0–24.0.5 23.0.0–23.0.7 22.0.0–22.0.5 21.0.0–21.1.2 20.0.0–20.0.5 19.0.0–19.0.3 18.0.0–18.0.2 17.0.0–17.0.1 16.0.0–16.1.1 15.0.0–15.1.1 14.0.0 13.0.0–13.0.1 12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2018-14658	Medium 6.1	CWE-601	0.00118	0.46445	26.0.0–26.0.7 25.0.0–25.0.6 24.0.0–24.0.5 23.0.0–23.0.7 22.0.0–22.0.5 21.0.0–21.1.2 20.0.0–20.0.5 19.0.0–19.0.3 18.0.0–18.0.2 17.0.0–17.0.1 16.0.0–16.1.1 15.0.0–15.1.1 14.0.0 13.0.0–13.0.1 12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2019-10170	Medium 6.6	CWE-267	0.00088	0.39107	7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2019-10199	High 8.8	CWE-352	0.00073	0.33706	6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2019-10201	High 8.1	CWE-592, CWE-347	0.00064	0.29742	6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2019-14820	Medium 4.3	CWE-200	0.0005	0.21439	7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2019-14837	High 9.1	CWE-547, CWE-798	0.00267	0.6722	7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2019-3875	Medium 6.5	CWE-295, CWE-345	0.00057	0.25883	6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2020-10686	Medium 4.1	CWE-285	0.00072	0.33571	9.0.0 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2020-10770	Medium 5.3	CWE-918	0.25247	0.96684	12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2020-14359	High 7.3	CWE-305	0.00088	0.38948	26.0.0–26.0.7 25.0.0–25.0.6 24.0.0–24.0.5 23.0.0–23.0.7 22.0.0–22.0.5 21.0.0–21.1.2 20.0.0–20.0.5 19.0.0–19.0.3 18.0.0–18.0.2 17.0.0–17.0.1 16.0.0–16.1.1 15.0.0–15.1.1 14.0.0 13.0.0–13.0.1 12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2019-3868	Low 3.8	CWE-200	0.00192	0.56804	5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2020-14389	High 8.1	CWE-916	0.00065	0.30211	11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2020-1697	Medium 6.1	CWE-79	0.0005	0.21439	8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2020-1698	Medium 5	CWE-532, CWE-200	0.00044	0.14307	8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2020-1714	High 8.8	CWE-20	0.00243	0.63505	10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2020-1723	Medium 4.3	CWE-601	0.00084	0.3766	26.0.0–26.0.7 25.0.0–25.0.6 24.0.0–24.0.5 23.0.0–23.0.7 22.0.0–22.0.5 21.0.0–21.1.2 20.0.0–20.0.5 19.0.0–19.0.3 18.0.0–18.0.2 17.0.0–17.0.1 16.0.0–16.1.1 15.0.0–15.1.1 14.0.0 13.0.0–13.0.1 12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2020-1724	Medium 4.3	CWE-613	0.00054	0.25116	9.0.0 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2020-1725	Medium 5.4	CWE-863	0.00054	0.24764	12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2020-1728	Medium 4.8	CWE-1021, CWE-358	0.00078	0.35818	9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2020-1731	High 9.1	CWE-330, CWE-341	0.00214	0.58973	8.0.0–8.0.1 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2020-1744	Medium 5.6	CWE-755	0.00104	0.43333	9.0.0 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2020-27826	Medium 4.2	CWE-250	0.00054	0.25116	11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2020-27838	Medium 6.5	CWE-287	0.2761	0.96806	12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2020-35509	Medium 5.4	CWE-20, CWE-295	0.00054	0.25116	13.0.0–13.0.1 12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2021-20195	High 9.6	CWE-20, CWE-116, CWE-79	0.00163	0.5334	12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2021-20202	High 7.3	CWE-377	0.00044	0.14307	12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2021-20222	High 7.5	CWE-20	0.00167	0.53828	12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2021-20262	Medium 6.8	CWE-306	0.0007	0.327	26.0.0–26.0.7 25.0.0–25.0.6 24.0.0–24.0.5 23.0.0–23.0.7 22.0.0–22.0.5 21.0.0–21.1.2 20.0.0–20.0.5 19.0.0–19.0.3 18.0.0–18.0.2 17.0.0–17.0.1 16.0.0–16.1.1 15.0.0–15.1.1 14.0.0 13.0.0–13.0.1 12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2021-3424	Medium 5.3	CWE-287	0.00082	0.36967	26.0.0–26.0.7 25.0.0–25.0.6 24.0.0–24.0.5 23.0.0–23.0.7 22.0.0–22.0.5 21.0.0–21.1.2 20.0.0–20.0.5 19.0.0–19.0.3 18.0.0–18.0.2 17.0.0–17.0.1 16.0.0–16.1.1 15.0.0–15.1.1 14.0.0 13.0.0–13.0.1 12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2021-3632	High 7.5	CWE-287	0.00211	0.58702	15.0.0–15.0.2 14.0.0 13.0.0–13.0.1 12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2021-3754	Medium 5.3	CWE-20	0.00089	0.3959	26.0.0–26.0.7 25.0.0–25.0.6 24.0.0–24.0.5 23.0.0–23.0.7 22.0.0–22.0.5 21.0.0–21.1.2 20.0.0–20.0.5 19.0.0–19.0.3 18.0.0–18.0.2 17.0.0–17.0.1 16.0.0–16.1.1 15.0.0–15.1.1 14.0.0 13.0.0–13.0.1 12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2021-3856	Medium 4.3	CWE-552, CWE-22	0.00081	0.36648	15.0.0–15.0.2 14.0.0 13.0.0–13.0.1 12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2022-1466	Medium 6.5	CWE-863	0.00084	0.37561	17.0.0 16.0.0–16.1.1 15.0.0–15.1.1 14.0.0 13.0.0–13.0.1 12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2022-2256	Medium 5.4	CWE-79	0.0005	0.21439	26.0.0–26.0.7 25.0.0–25.0.6 24.0.0–24.0.5 23.0.0–23.0.7 22.0.0–22.0.5 21.0.0–21.1.2 20.0.0–20.0.5 19.0.0–19.0.3 18.0.0–18.0.2 17.0.0–17.0.1 16.0.0–16.1.1 15.0.0–15.1.1 14.0.0 13.0.0–13.0.1 12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2023-0091	Low 3.8	CWE-863	0.00054	0.25116	20.0.0–20.0.2 19.0.0–19.0.3 18.0.0–18.0.2 17.0.0–17.0.1 16.0.0–16.1.1 15.0.0–15.1.1 14.0.0 13.0.0–13.0.1 12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2023-0105	Medium 6.5	CWE-287	0.00079	0.36198	22.0.0 21.0.0–21.1.2 20.0.0–20.0.5 19.0.0–19.0.3 18.0.0–18.0.2 17.0.0–17.0.1 16.0.0–16.1.1 15.0.0–15.1.1 14.0.0 13.0.0–13.0.1 12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2023-1664	Medium 6.5	CWE-295	0.00056	0.25524	21.0.0–21.1.1 20.0.0–20.0.5 19.0.0–19.0.3 18.0.0–18.0.2 17.0.0–17.0.1 16.0.0–16.1.1 15.0.0–15.1.1 14.0.0 13.0.0–13.0.1 12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2023-6841	High 7.5	CWE-231	0.00046	0.18853	23.0.0–23.0.7 22.0.0–22.0.5 21.0.0–21.1.2 20.0.0–20.0.5 19.0.0–19.0.3 18.0.0–18.0.2 17.0.0–17.0.1 16.0.0–16.1.1 15.0.0–15.1.1 14.0.0 13.0.0–13.0.1 12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2024-10039	Unknown		None	None	26.0.0–26.0.5 25.0.0–25.0.6 24.0.0–24.0.5 23.0.0–23.0.7 22.0.0–22.0.5 21.0.0–21.1.2 20.0.0–20.0.5 19.0.0–19.0.3 18.0.0–18.0.2 17.0.0–17.0.1 16.0.0–16.1.1 15.0.0–15.1.1 14.0.0 13.0.0–13.0.1 12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2024-1722	Low 3.7	CWE-645	0.00043	0.10859	23.0.0–23.0.5 22.0.0–22.0.5 21.0.0–21.1.2 20.0.0–20.0.5 19.0.0–19.0.3 18.0.0–18.0.2 17.0.0–17.0.1 16.0.0–16.1.1 15.0.0–15.1.1 14.0.0 13.0.0–13.0.1 12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2024-5967	Low 2.7	CWE-276	0.00044	0.14714	26.0.0–26.0.7 25.0.0–25.0.6 24.0.0–24.0.5 23.0.0–23.0.7 22.0.0–22.0.5 21.0.0–21.1.2 20.0.0–20.0.5 19.0.0–19.0.3 18.0.0–18.0.2 17.0.0–17.0.1 16.0.0–16.1.1 15.0.0–15.1.1 14.0.0 13.0.0–13.0.1 12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2024-7260	Medium 6.1	CWE-601	0.00052	0.22602	24.0.0–24.0.5 23.0.0–23.0.7 22.0.0–22.0.5 21.0.0–21.1.2 20.0.0–20.0.5 19.0.0–19.0.3 18.0.0–18.0.2 17.0.0–17.0.1 16.0.0–16.1.1 15.0.0–15.1.1 14.0.0 13.0.0–13.0.1 12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2024-7318	Medium 4.8	CWE-324	0.00052	0.22602	24.0.0–24.0.5 23.0.0–23.0.7 22.0.0–22.0.5 21.0.0–21.1.2 20.0.0–20.0.5 19.0.0–19.0.3 18.0.0–18.0.2 17.0.0–17.0.1 16.0.0–16.1.1 15.0.0–15.1.1 14.0.0 13.0.0–13.0.1 12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2016-8609	Low 3.7	CWE-287, CWE-384	0.00221	0.59789	2.0.0.CR1–2.3.0.CR1 1.0-rc-1–1.9.8.Final
CVE-2016-8629	Medium 6.5	CWE-264, CWE-284	0.00177	0.54958	2.0.0.CR1–2.4.0.CR1 1.0-rc-1–1.9.8.Final
CVE-2017-2582	Medium 6.5	CWE-201, CWE-200	0.01999	0.88529	2.0.0.CR1–2.5.0.Final 1.0-rc-1–1.9.8.Final
CVE-2017-2585	Medium 5.9	CWE-200, CWE-208	0.00382	0.72689	2.0.0.CR1–2.5.0.Final 1.0-rc-1–1.9.8.Final
CVE-2017-2646	High 7.5	CWE-835	0.00088	0.38944	2.0.0.CR1–2.5.4.Final 1.0-rc-1–1.9.8.Final
CVE-2014-3651	High 7.5	CWE-400	0.00143	0.50582	1.0-rc-1–1.0-final
CVE-2014-3656	Medium 6.1	CWE-79	0.00084	0.3766	1.0-rc-1–1.0-final
CVE-2022-0225	Medium 5.4	CWE-79	0.00058	0.2631	19.0.0–19.0.3 18.0.0–18.0.2 17.0.0–17.0.1 16.1.0–16.1.1
CVE-2021-20323	Medium 6.1	CWE-79	0.00228	0.60584	16.0.0–16.1.1 15.0.0–15.1.1
CVE-2023-4918	High 8.8	CWE-256, CWE-319	0.00144	0.50797	22.0.2

Keycloak Core Vulnerability Remediation Guidance

CVE	Description	Full list of Impacted Versions	Fix
CVE-2024-7318	A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute. A one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid.	2.5.5.Final, 1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2024-7260	An open redirect vulnerability was found in Keycloak. A specially crafted URL can be constructed where the referrer and referrer_uri parameters are made to trick a user to visit a malicious webpage. A trusted URL can trick users and automation into believing that the URL is safe, when, in fact, it redirects to a malicious server. This issue can result in a victim inadvertently trusting the destination of the redirect, potentially leading to a successful phishing attack or other types of attacks. Once a crafted URL is made, it can be sent to a Keycloak admin via email for example. This will trigger this vulnerability when the user visits the page and clicks the link. A malicious actor can use this to target users they know are Keycloak admins for further attacks. It may also be possible to bypass other domain-related security checks, such as supplying this as a OAuth redirect uri. The malicious actor can further obfuscate the redirect_uri using URL encoding, to hide the text of the actual malicious website domain.	2.5.5.Final, 1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2024-5967	None	2.5.5.Final, 1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2024-1722	A flaw was found in Keycloak. In certain conditions, this issue may allow a remote unauthenticated attacker to block other accounts from logging in.	2.5.5.Final, 1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2024-10039	None	2.5.5.Final, 1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2023-6841	A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited,an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values.	2.5.5.Final, 1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2023-4918	A flaw was found in the Keycloak package, more specifically org.keycloak.userprofile. When a user registers itself through registration flow, the "password" and "password-confirm" field from the form will occur as regular user attributes. All users and clients with proper rights and roles are able to read users attributes, allowing a malicious user with minimal access to retrieve the users passwords in clear text, jeopardizing their environment.	22.0.2	Patch → NO_SAFE_VERSION
CVE-2023-1664	A flaw was found in Keycloak. This flaw depends on a non-default configuration "Revalidate Client Certificate" to be enabled and the reverse proxy is not validating the certificate before Keycloak. Using this method an attacker may choose the certificate which will be validated by the server. If this happens and the KC_SPI_TRUSTSTORE_FILE_FILE variable is missing/misconfigured, any trustfile may be accepted with the logging information of "Cannot validate client certificate trust: Truststore not available". This may not impact availability as the attacker would have no access to the server, but consumer applications Integrity or Confidentiality may be impacted considering a possible access to them. Considering the environment is correctly set to use "Revalidate Client Certificate" this flaw is avoidable.	2.5.5.Final, 1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2023-0105	A flaw was found in Keycloak. This flaw allows impersonation and lockout due to the email trust not being handled correctly in Keycloak. An attacker can shadow other users with the same email and lockout or impersonate them.	2.5.5.Final, 1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2023-0091	A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information.	2.5.5.Final, 1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2022-2256	A Stored Cross-site scripting (XSS) vulnerability was found in keycloak as shipped in Red Hat Single Sign-On 7. This flaw allows a privileged attacker to execute malicious scripts in the admin console, abusing the default roles functionality.	2.5.5.Final, 1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2022-1466	Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted.	2.5.5.Final, 1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2022-0225	A flaw was found in Keycloak. This flaw allows a privileged attacker to use the malicious payload as the group name while creating a new group from the admin console, leading to a stored Cross-site scripting (XSS) attack.	18.0.2, 17.0.0, 17.0.1, 16.1.1, 18.0.1, 18.0.0, 19.0.1, 19.0.0 , 16.1.0, 19.0.2, 19.0.3 (Show all)	Patch → NO_SAFE_VERSION
CVE-2021-3856	ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader. By sending requests for theme resources with a relative path from an external HTTP client, the client will receive the content of random files if available.	2.5.5.Final, 1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2021-3754	A flaw was found in keycloak where an attacker is able to register himself with the username same as the email ID of any existing user. This may cause trouble in getting password recovery email in case the user forgets the password.	2.5.5.Final, 1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2021-3632	A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow.	2.5.5.Final, 1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2021-3424	A flaw was found in keycloak as shipped in Red Hat Single Sign-On 7.4 where IDN homograph attacks are possible. A malicious user can register himself with a name already registered and trick admin to grant him extra privileges.	2.5.5.Final, 1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2021-20323	A POST based reflected Cross Site Scripting vulnerability on has been identified in Keycloak.	16.1.1, 15.1.1, 15.0.2, 16.1.0, 15.0.0, 16.0.0, 15.0.1, 15.1.0	Patch → NO_SAFE_VERSION
CVE-2021-20262	A flaw was found in Keycloak 12.0.0 where re-authentication does not occur while updating the password. This flaw allows an attacker to take over an account if they can obtain temporary, physical access to a user’s browser. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.	2.5.5.Final, 1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2021-20222	A flaw was found in keycloak. The new account console in keycloak can allow malicious code to be executed using the referrer URL. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.	2.5.5.Final, 1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2021-20202	A flaw was found in keycloak. Directories can be created prior to the Java process creating them in the temporary directory, but with wider user permissions, allowing the attacker to have access to the contents that keycloak stores in this directory. The highest threat from this vulnerability is to data confidentiality and integrity.	2.5.5.Final, 1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2021-20195	A flaw was found in keycloak in versions before 13.0.0. A Self Stored XSS attack vector escalating to a complete account takeover is possible due to user-supplied data fields not being properly encoded and Javascript code being used to process the data. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.	2.5.5.Final, 1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2020-35509	A flaw was found in keycloak affecting versions 11.0.3 and 12.0.0. An expired certificate would be accepted by the direct-grant authenticator because of missing time stamp validations. The highest threat from this vulnerability is to data confidentiality and integrity.	2.5.5.Final, 1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2020-27838	A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this vulnerability is to data confidentiality.	2.5.5.Final, 1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2020-27826	A flaw was found in Keycloak before version 12.0.0 where it is possible to update the user's metadata attributes using Account REST API. This flaw allows an attacker to change its own NameID attribute to impersonate the admin user for any particular application.	2.5.5.Final, 1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2020-1744	A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle this events.	2.5.5.Final, 1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2020-1731	A flaw was found in all versions of the Keycloak operator, before version 8.0.2,(community only) where the operator generates a random admin password when installing Keycloak, however the password remains the same when deployed to the same OpenShift namespace.	2.5.5.Final, 1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2020-1728	A vulnerability was found in all versions of Keycloak where, the pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses. This does not directly lead to a security issue, yet it might aid attackers in their efforts to exploit other problems. The flaws unnecessarily make the servers more prone to Clickjacking, channel downgrade attacks and other similar client-based attack vectors.	2.5.5.Final, 1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2020-1725	A flaw was found in keycloak before version 13.0.0. In some scenarios a user still has access to a resource after changing the role mappings in Keycloak and after expiration of the previous access token.	2.5.5.Final, 1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2020-1724	A flaw was found in Keycloak in versions before 9.0.2. This flaw allows a malicious user that is currently logged in, to see the personal information of a previously logged out user in the account manager section.	2.5.5.Final, 1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2020-1723	The logout endpoint /oauth/logout?redirect=url can be abused to redirect logged in users to arbitrary web pages. This vulnerability could be used in phishing attacks. Versions shipped with Red Hat Mobile Aplication Platform 4 are believed to be vulnerable.	2.5.5.Final, 1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2020-1714	A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution.	2.5.5.Final, 1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2020-1698	A flaw was found in keycloak in versions before 9.0.0. A logged exception in the HttpMethod class may leak the password given as parameter. The highest threat from this vulnerability is to data confidentiality.	2.5.5.Final, 1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2020-1697	It was found in all keycloak versions before 9.0.0 that links to external applications (Application Links) in the admin console are not validated properly and could allow Stored XSS attacks. An authed malicious user could create URLs to trick users in other realms, and possibly conduct further attacks.	2.5.5.Final, 1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2020-14389	It was found that Keycloak before version 12.0.0 would permit a user with only view-profile role to manage the resources in the new account console, allowing access and modification of data the user was not intended to have.	2.5.5.Final, 1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2020-14359	A vulnerability was found in all versions of keycloak, where on using lower case HTTP headers (via cURL) we can bypass our Gatekeeper. Lower case headers are also accepted by some webservers (e.g. Jetty). This means there is no protection when we put a Gatekeeper in front of a Jetty server and use lowercase headers.	2.5.5.Final, 1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2020-10770	A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack.	2.5.5.Final, 1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2020-10686	A flaw was found in Keycloak version 8.0.2 and 9.0.0, and was fixed in Keycloak version 9.0.1, where a malicious user registers as oneself. The attacker could then use the remove devices form to post different credential IDs and possibly remove MFA devices for other users.	2.5.5.Final, 1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2019-3875	A vulnerability was found in keycloak before 6.0.2. The X.509 authenticator supports the verification of client certificates through the CRL, where the CRL list can be obtained from the URL provided in the certificate itself (CDP) or through the separately configured path. The CRL are often available over the network through unsecured protocols ('http' or 'ldap') and hence the caller should verify the signature and possibly the certification path. Keycloak currently doesn't validate signatures on CRL, which can result in a possibility of various attacks like man-in-the-middle.	2.5.5.Final, 1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2019-3868	Keycloak up to version 6.0.0 allows the end user token (access or id token JWT) to be used as the session cookie for browser sessions for OIDC. As a result an attacker with access to service provider backend could hijack user’s browser session.	2.5.5.Final, 1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2019-14837	A flaw was found in keycloack before version 8.0.0. The owner of 'placeholder.org' domain can setup mail server on this domain and knowing only name of a client can reset password and then log in. For example, for client name 'test' the email address will be 'service-account-test@placeholder.org'.	2.5.5.Final, 1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2019-14820	It was found that keycloak before version 8.0.0 exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be invoked via a specially-crafted URL. This vulnerability could allow an attacker to access unauthorized information.	2.5.5.Final, 1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2019-10201	It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. If an attacker modifies the SAML Response and removes the <Signature> sections, the message is still accepted, and the message can be modified. An attacker could use this flaw to impersonate other users and gain access to sensitive information.	2.5.5.Final, 1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2019-10199	It was found that Keycloak's account console, up to 6.0.1, did not perform adequate header checks in some requests. An attacker could use this flaw to trick an authenticated user into performing operations via request from an untrusted domain.	2.5.5.Final, 1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2019-10170	A flaw was found in the Keycloak admin console, where the realm management interface permits a script to be set via the policy. This flaw allows an attacker with authenticated user and realm management permissions to configure a malicious script to trigger and execute arbitrary code with the permissions of the application user.	2.5.5.Final, 1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2018-14658	A flaw was found in JBOSS Keycloak 3.2.1.Final. The Redirect URL for both Login and Logout are not normalized in org.keycloak.protocol.oidc.utils.RedirectUtils before the redirect url is verified. This can lead to an Open Redirection attack	2.5.5.Final, 1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2018-14655	A flaw was found in Keycloak 3.4.3.Final, 4.0.0.Beta2, 4.3.0.Final. When using 'response_mode=form_post' it is possible to inject arbitrary Javascript-Code via the 'state'-parameter in the authentication URL. This allows an XSS-Attack upon succesfully login.	2.5.5.Final, 1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2018-14637	The SAML broker consumer endpoint in Keycloak before version 4.6.0.Final ignores expiration conditions on SAML assertions. An attacker can exploit this vulnerability to perform a replay attack.	2.5.5.Final, 1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2018-10912	keycloak before version 4.0.0.final is vulnerable to a infinite loop in session replacement. A Keycloak cluster with multiple nodes could mishandle an expired session replacement and lead to an infinite loop. A malicious authenticated user could use this flaw to achieve Denial of Service on the server.	2.5.5.Final, 1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2018-10894	It was found that SAML authentication in Keycloak 3.4.3.Final incorrectly authenticated expired certificates. A malicious user could use this to access unauthorized data or possibly conduct further attacks.	2.5.5.Final, 1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2017-2646	It was found that when Keycloak before 2.5.5 receives a Logout request with a Extensions in the middle of the request, the SAMLSloRequestParser.parse() method ends in a infinite loop. An attacker could use this flaw to conduct denial of service attacks.	1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2, 1.0-beta-3 (Show all)	Patch → NO_SAFE_VERSION
CVE-2017-2585	Red Hat Keycloak before version 2.5.1 has an implementation of HMAC verification for JWS tokens that uses a method that runs in non-constant time, potentially leaving the application vulnerable to timing attacks.	1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2, 1.0-beta-3 (Show all)	Patch → NO_SAFE_VERSION
CVE-2017-2582	It was found that while parsing the SAML messages the StaxParserUtil class of keycloak before 2.5.1 replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the "InResponseTo" field in the response.	1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2, 1.0-beta-3 (Show all)	Patch → NO_SAFE_VERSION
CVE-2017-12161	It was found that keycloak before 3.4.2 final would permit misuse of a client-side /etc/hosts entry to spoof a URL in a password reset request. An attacker could use this flaw to craft a malicious password reset request and gain a valid reset token, leading to information disclosure or further attacks.	2.5.5.Final, 1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2017-1000500	REJECT DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-12161. Reason: This candidate is a reservation duplicate of CVE-2017-12161. Notes: All CVE users should reference CVE-2017-12161 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.	2.5.5.Final, 1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2016-8629	Red Hat Keycloak before version 2.4.0 did not correctly check permissions when handling service account user deletion requests sent to the rest server. An attacker with service account authentication could use this flaw to bypass normal permissions and delete users in a separate realm.	1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2, 1.0-beta-3 (Show all)	Patch → NO_SAFE_VERSION
CVE-2016-8609	It was found that the keycloak before 2.3.0 did not implement authentication flow correctly. An attacker could use this flaw to construct a phishing URL, from which he could hijack the user's session. This could lead to information disclosure, or permit further possible attacks.	1.9.0.Final, 1.8.0.CR1, 1.6.0.Final, 1.3.0.Final, 1.2.0.CR1, 1.1.0.Final, 1.0-rc-2, 1.0-beta-3 (Show all)	Patch → NO_SAFE_VERSION
CVE-2014-3656	JBoss KeyCloak: XSS in login-status-iframe.html	1.0-rc-2, 1.0-beta-3, 1.0.3.Final, 1.0-beta-1-20150523, 1.0-beta-1, 1.0-alpha-1, 1.0.4.Final, 1.0-final (Show all)	Patch → NO_SAFE_VERSION
CVE-2014-3651	JBoss KeyCloak before 1.0.3.Final allows remote attackers to cause a denial of service (resource consumption) via a large value in the size parameter to auth/qrcode, related to QR code generation.	1.0-rc-2, 1.0-beta-3, 1.0-beta-1-20150523, 1.0-beta-1, 1.0-alpha-1, 1.0-final, 1.0-rc-1, 1.0-alpha-3 (Show all)	Patch → NO_SAFE_VERSION

Instantly see if these Keycloak Core vulnerabilities affect your code.

Scan for Free

Dependencies

Packages using versions of Keycloak Core affected by its vulnerabilities

Dependent Packages
org.keycloak:keycloak-common:
com.fasterxml.jackson.core:jackson-core:
com.fasterxml.jackson.core:jackson-databind:
com.fasterxml.jackson.datatype:jackson-datatype-jdk8:
com.fasterxml.jackson.datatype:jackson-datatype-jsr310:
org.jboss.logging:jboss-logging:
org.eclipse.microprofile.openapi:microprofile-openapi-api:
junit:junit: