Keycloak REST Services Licenses and Vulnerabilities

Keycloak REST Services Vulnerabilities

Sort by

CVE (Latest)

CVE (Latest)
CVE (Oldest)
CVSS Score (Highest)
CVSS Score (Lowest)

CVE	CVSS Score	CWE(s)	EPSS Score	EPSS %	Impacted Versions
CVE-2014-3651	High 7.5	CWE-400	0.00143	0.50582	1.0-rc-1–1.1.0.Beta2
CVE-2016-8629	Medium 6.5	CWE-264, CWE-284	0.00177	0.54958	2.0.0.CR1–2.4.0.CR1 1.0-rc-1–1.9.8.Final
CVE-2017-12159	High 7.5	CWE-613, CWE-352	0.00289	0.68511	3.0.0.CR1–3.3.0.CR2 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2017-12160	High 7.2	CWE-287, CWE-285, CWE-284	0.00198	0.57484	3.0.0.CR1–3.3.0.CR2 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2018-10894	Medium 5.4	CWE-295, CWE-345	0.00087	0.389	4.0.0.Beta1–4.3.0.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2018-14637	High 8.1	CWE-287, CWE-285	0.00218	0.59481	4.0.0.Beta1–4.5.0.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2018-14658	Medium 6.1	CWE-601	0.00118	0.46445	4.0.0.Beta1–4.4.0.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2019-10170	High 7.2	CWE-267, CWE-269	0.00088	0.39107	7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2019-10199	High 8.8	CWE-20, CWE-352	0.00073	0.33706	6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2019-10201	High 8.1	CWE-592, CWE-347	0.00064	0.29742	6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2019-14837	High 9.1	CWE-547, CWE-798	0.00267	0.6722	7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2019-3868	Low 3.8	CWE-200	0.00192	0.56804	6.0.0 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2019-3875	Medium 4.8	CWE-295, CWE-345	0.00057	0.25883	5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2020-10776	Medium 4.8	CWE-79	0.00054	0.25116	11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2020-14366	High 7.5	CWE-22	0.00172	0.54465	11.0.0–11.0.2 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2020-1724	Medium 4.3	CWE-613	0.00054	0.25116	9.0.0 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2020-1744	Medium 5.6	CWE-755, CWE-200	0.00104	0.43333	9.0.0 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2020-1758	Medium 5.9	CWE-295, CWE-297	0.00128	0.48107	9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2020-27838	Medium 6.5	CWE-287	0.2761	0.96806	12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2020-35509	Medium 4.2	CWE-20	0.00054	0.25116	8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2021-3424	Medium 5.3	CWE-287	0.00082	0.36967	17.0.0–17.0.1 16.0.0–16.1.1 15.0.0–15.1.1 14.0.0 13.0.0–13.0.1 12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2021-3461	Medium 5.9	CWE-284	0.00063	0.29352	13.0.0–13.0.1 12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2021-4133	High 8.8	CWE-863	0.00236	0.61212	15.0.0–15.1.0 14.0.0 13.0.0–13.0.1 12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2022-1245	High 9.8	CWE-863, CWE-639, CWE-862	0.00194	0.57066	17.0.0–17.0.1 16.0.0–16.1.1 15.0.0–15.1.1 14.0.0 13.0.0–13.0.1 12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2022-1274	Medium 5.4	CWE-80, CWE-79	0.00075	0.34752	20.0.0–20.0.4 19.0.0–19.0.3 18.0.0–18.0.2 17.0.0–17.0.1 16.0.0–16.1.1 15.0.0–15.1.1 14.0.0 13.0.0–13.0.1 12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2022-1438	Medium 4.8	CWE-79	0.00137	0.49558	26.0.0–26.0.7 25.0.0–25.0.6 24.0.0–24.0.5 23.0.0–23.0.7 22.0.0–22.0.5 21.0.0–21.1.2 20.0.0–20.0.5 19.0.0–19.0.3 18.0.0–18.0.2 17.0.0–17.0.1 16.0.0–16.1.1 15.0.0–15.1.1 14.0.0 13.0.0–13.0.1 12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2022-2232	High 7.5	CWE-20	0.0006	0.26851	23.0.0 22.0.0–22.0.5 21.0.0–21.1.2 20.0.0–20.0.5 19.0.0–19.0.3 18.0.0–18.0.2 17.0.0–17.0.1 16.0.0–16.1.1 15.0.0–15.1.1 14.0.0 13.0.0–13.0.1 12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2022-4361	Medium 6.1	CWE-81, CWE-79	0.00058	0.26409	21.0.0–21.1.1 20.0.0–20.0.5 19.0.0–19.0.3 18.0.0–18.0.2 17.0.0–17.0.1 16.0.0–16.1.1 15.0.0–15.1.1 14.0.0 13.0.0–13.0.1 12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2023-0264	Medium 5	CWE-287, CWE-345	0.00048	0.19626	21.0.0 20.0.0–20.0.5 19.0.0–19.0.3 18.0.0–18.0.2 17.0.0–17.0.1 16.0.0–16.1.1 15.0.0–15.1.1 14.0.0 13.0.0–13.0.1 12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2023-0657	Low 3.4	CWE-273	0.00045	0.1735	24.0.0–24.0.2 23.0.0–23.0.7 22.0.0–22.0.5 21.0.0–21.1.2 20.0.0–20.0.5 19.0.0–19.0.3 18.0.0–18.0.2 17.0.0–17.0.1 16.0.0–16.1.1 15.0.0–15.1.1 14.0.0 13.0.0–13.0.1 12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2023-2422	High 7.1	CWE-295	0.00156	0.52414	21.0.0–21.1.1 20.0.0–20.0.5 19.0.0–19.0.3 18.0.0–18.0.2 17.0.0–17.0.1 16.0.0–16.1.1 15.0.0–15.1.1 14.0.0 13.0.0–13.0.1 12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2023-2585	High 8.1	CWE-358	0.001	0.42154	21.0.0–21.1.1 20.0.0–20.0.5 19.0.0–19.0.3 18.0.0–18.0.2 17.0.0–17.0.1 16.0.0–16.1.1 15.0.0–15.1.1 14.0.0 13.0.0–13.0.1 12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2023-3597	Medium 5	CWE-287	0.00045	0.1735	24.0.0–24.0.2 23.0.0–23.0.7 22.0.0–22.0.5 21.0.0–21.1.2 20.0.0–20.0.5 19.0.0–19.0.3 18.0.0–18.0.2 17.0.0–17.0.1 16.0.0–16.1.1 15.0.0–15.1.1 14.0.0 13.0.0–13.0.1 12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2023-6134	Medium 5.4	CWE-75, CWE-74, CWE-79	0.00134	0.49107	23.0.0–23.0.2 22.0.0–22.0.5 21.0.0–21.1.2 20.0.0–20.0.5 19.0.0–19.0.3 18.0.0–18.0.2 17.0.0–17.0.1 16.0.0–16.1.1 15.0.0–15.1.1 14.0.0 13.0.0–13.0.1 12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2023-6291	High 7.1	CWE-20, CWE-601	0.00144	0.5079	23.0.0–23.0.2 22.0.0–22.0.5 21.0.0–21.1.2 20.0.0–20.0.5 19.0.0–19.0.3 18.0.0–18.0.2 17.0.0–17.0.1 16.0.0–16.1.1 15.0.0–15.1.1 14.0.0 13.0.0–13.0.1 12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2023-6484	Medium 5.3	CWE-117	0.00046	0.18916	23.0.0–23.0.4 22.0.0–22.0.5 21.0.0–21.1.2 20.0.0–20.0.5 19.0.0–19.0.3 18.0.0–18.0.2 17.0.0–17.0.1 16.0.0–16.1.1 15.0.0–15.1.1 14.0.0 13.0.0–13.0.1 12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2023-6544	Medium 5.4	CWE-625	0.00044	0.14714	24.0.0–24.0.2 23.0.0–23.0.7 22.0.0–22.0.5 21.0.0–21.1.2 20.0.0–20.0.5 19.0.0–19.0.3 18.0.0–18.0.2 17.0.0–17.0.1 16.0.0–16.1.1 15.0.0–15.1.1 14.0.0 13.0.0–13.0.1 12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2023-6717	Medium 6	CWE-79	0.00044	0.11828	24.0.0–24.0.2 23.0.0–23.0.7 22.0.0–22.0.5 21.0.0–21.1.2 20.0.0–20.0.5 19.0.0–19.0.3 18.0.0–18.0.2 17.0.0–17.0.1 16.0.0–16.1.1 15.0.0–15.1.1 14.0.0 13.0.0–13.0.1 12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2023-6787	Medium 6.5	CWE-287	0.00045	0.1735	24.0.0–24.0.2 23.0.0–23.0.7 22.0.0–22.0.5 21.0.0–21.1.2 20.0.0–20.0.5 19.0.0–19.0.3 18.0.0–18.0.2 17.0.0–17.0.1 16.0.0–16.1.1 15.0.0–15.1.1 14.0.0 13.0.0–13.0.1 12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2024-10270	Medium 6.5	CWE-1333	0.00085	0.37802	26.0.0–26.0.5 25.0.0–25.0.6 24.0.0–24.0.5 23.0.0–23.0.7 22.0.0–22.0.5 21.0.0–21.1.2 20.0.0–20.0.5 19.0.0–19.0.3 18.0.0–18.0.2 17.0.0–17.0.1 16.0.0–16.1.1 15.0.0–15.1.1 14.0.0 13.0.0–13.0.1 12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2024-1132	High 8.1	CWE-22	0.00046	0.18916	24.0.0–24.0.2 23.0.0–23.0.7 22.0.0–22.0.5 21.0.0–21.1.2 20.0.0–20.0.5 19.0.0–19.0.3 18.0.0–18.0.2 17.0.0–17.0.1 16.0.0–16.1.1 15.0.0–15.1.1 14.0.0 13.0.0–13.0.1 12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2024-1249	High 7.4	CWE-346	0.00044	0.14714	24.0.0–24.0.2 23.0.0–23.0.7 22.0.0–22.0.5 21.0.0–21.1.2 20.0.0–20.0.5 19.0.0–19.0.3 18.0.0–18.0.2 17.0.0–17.0.1 16.0.0–16.1.1 15.0.0–15.1.1 14.0.0 13.0.0–13.0.1 12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2024-2419	High 7.1	CWE-601	0.00045	0.1735	24.0.0–24.0.2 23.0.0–23.0.7 22.0.0–22.0.5 21.0.0–21.1.2 20.0.0–20.0.5 19.0.0–19.0.3 18.0.0–18.0.2 17.0.0–17.0.1 16.0.0–16.1.1 15.0.0–15.1.1 14.0.0 13.0.0–13.0.1 12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2024-3656	High 8.1	CWE-200, CWE-269	0.00065	0.30316	24.0.0–24.0.4 23.0.0–23.0.7 22.0.0–22.0.5 21.0.0–21.1.2 20.0.0–20.0.5 19.0.0–19.0.3 18.0.0–18.0.2 17.0.0–17.0.1 16.0.0–16.1.1 15.0.0–15.1.1 14.0.0 13.0.0–13.0.1 12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2024-4540	High 7.5	CWE-200	0.00044	0.14714	24.0.0–24.0.4 23.0.0–23.0.7 22.0.0–22.0.5 21.0.0–21.1.2 20.0.0–20.0.5 19.0.0–19.0.3 18.0.0–18.0.2 17.0.0–17.0.1 16.0.0–16.1.1 15.0.0–15.1.1 14.0.0 13.0.0–13.0.1 12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2024-4629	Medium 6.5	CWE-837	0.00085	0.37918	25.0.0–25.0.3 24.0.0–24.0.5 23.0.0–23.0.7 22.0.0–22.0.5 21.0.0–21.1.2 20.0.0–20.0.5 19.0.0–19.0.3 18.0.0–18.0.2 17.0.0–17.0.1 16.0.0–16.1.1 15.0.0–15.1.1 14.0.0 13.0.0–13.0.1 12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2024-7341	High 7.1	CWE-384	0.00193	0.5698	25.0.0–25.0.4 24.0.0–24.0.5 23.0.0–23.0.7 22.0.0–22.0.5 21.0.0–21.1.2 20.0.0–20.0.5 19.0.0–19.0.3 18.0.0–18.0.2 17.0.0–17.0.1 16.0.0–16.1.1 15.0.0–15.1.1 14.0.0 13.0.0–13.0.1 12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2024-8883	Medium 6.1	CWE-601	0.00244	0.63656	25.0.0–25.0.5 24.0.0–24.0.5 23.0.0–23.0.7 22.0.0–22.0.5 21.0.0–21.1.2 20.0.0–20.0.5 19.0.0–19.0.3 18.0.0–18.0.2 17.0.0–17.0.1 16.0.0–16.1.1 15.0.0–15.1.1 14.0.0 13.0.0–13.0.1 12.0.0–12.0.4 11.0.0–11.0.3 10.0.0–10.0.2 9.0.0–9.0.3 8.0.0–8.0.2 7.0.0–7.0.1 6.0.0–6.0.1 5.0.0 4.0.0.Beta1–4.8.3.Final 3.0.0.CR1–3.4.3.Final 2.0.0.CR1–2.5.5.Final 1.0-rc-1–1.9.8.Final
CVE-2014-3652	Medium 6.1	CWE-601	0.00084	0.3766	1.0-rc-1–1.0-final
CVE-2014-3655	Medium 4.3	CWE-352	0.00088	0.39074	1.0-rc-1–1.0-final
CVE-2014-3709	High 8.8	CWE-352	0.00293	0.68736	1.0-rc-1–1.0-final
CVE-2014-3656	Medium 6.1	CWE-79	0.00084	0.3766	1.0.1.Final–1.0.2.Final

Keycloak REST Services Vulnerability Remediation Guidance

CVE	Description	Full list of Impacted Versions	Fix
CVE-2024-8883	A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking.	1.1.0.Beta2, 2.2.0.CR1, 3.2.1.Final, 3.3.0.CR2, 3.0.0.Final, 2.2.0.Final, 2.0.0.Final, 1.9.3.Final (Show all)	Patch → NO_SAFE_VERSION
CVE-2024-7341	A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation.	1.1.0.Beta2, 2.2.0.CR1, 3.2.1.Final, 3.3.0.CR2, 3.0.0.Final, 2.2.0.Final, 2.0.0.Final, 1.9.3.Final (Show all)	Patch → NO_SAFE_VERSION
CVE-2024-4629	A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.	1.1.0.Beta2, 2.2.0.CR1, 3.2.1.Final, 3.3.0.CR2, 3.0.0.Final, 2.2.0.Final, 2.0.0.Final, 1.9.3.Final (Show all)	Patch → NO_SAFE_VERSION
CVE-2024-4540	A flaw was found in Keycloak in OAuth 2.0 Pushed Authorization Requests (PAR). Client-provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization server's HTTP response to a `request_uri` authorization request, possibly leading to an information disclosure vulnerability.	1.1.0.Beta2, 2.2.0.CR1, 3.2.1.Final, 3.3.0.CR2, 3.0.0.Final, 2.2.0.Final, 2.0.0.Final, 1.9.3.Final (Show all)	Patch → NO_SAFE_VERSION
CVE-2024-3656	A flaw was found in Keycloak. Certain endpoints in Keycloak's admin REST API allow low-privilege users to access administrative functionalities. This flaw allows users to perform actions reserved for administrators, potentially leading to data breaches or system compromise.	1.1.0.Beta2, 2.2.0.CR1, 3.2.1.Final, 3.3.0.CR2, 3.0.0.Final, 2.2.0.Final, 2.0.0.Final, 1.9.3.Final (Show all)	Patch → NO_SAFE_VERSION
CVE-2024-2419	A flaw was found in Keycloak's redirect_uri validation logic. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to the theft of an access token, making it possible for the attacker to impersonate other users. It is very similar to CVE-2023-6291.	1.1.0.Beta2, 2.2.0.CR1, 3.2.1.Final, 3.3.0.CR2, 3.0.0.Final, 2.2.0.Final, 2.0.0.Final, 1.9.3.Final (Show all)	Patch → NO_SAFE_VERSION
CVE-2024-1249	A flaw was found in Keycloak's OIDC component in the "checkLoginIframe," which allows unvalidated cross-origin messages. This flaw allows attackers to coordinate and send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin validation for incoming messages.	1.1.0.Beta2, 2.2.0.CR1, 3.2.1.Final, 3.3.0.CR2, 3.0.0.Final, 2.2.0.Final, 2.0.0.Final, 1.9.3.Final (Show all)	Patch → NO_SAFE_VERSION
CVE-2024-1132	A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field, and requires user interaction within the malicious URL.	1.1.0.Beta2, 2.2.0.CR1, 3.2.1.Final, 3.3.0.CR2, 3.0.0.Final, 2.2.0.Final, 2.0.0.Final, 1.9.3.Final (Show all)	Patch → NO_SAFE_VERSION
CVE-2024-10270	None	1.1.0.Beta2, 2.2.0.CR1, 3.2.1.Final, 3.3.0.CR2, 3.0.0.Final, 2.2.0.Final, 2.0.0.Final, 1.9.3.Final (Show all)	Patch → NO_SAFE_VERSION
CVE-2023-6787	A flaw was found in Keycloak that occurs from an error in the re-authentication mechanism within org.keycloak.authentication. This flaw allows hijacking an active Keycloak session by triggering a new authentication process with the query parameter "prompt=login," prompting the user to re-enter their credentials. If the user cancels this re-authentication by selecting "Restart login," an account takeover may occur, as the new session, with a different SUB, will possess the same SID as the previous session.	1.1.0.Beta2, 2.2.0.CR1, 3.2.1.Final, 3.3.0.CR2, 3.0.0.Final, 2.2.0.Final, 2.0.0.Final, 1.9.3.Final (Show all)	Patch → NO_SAFE_VERSION
CVE-2023-6717	A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cross-Site Scripting (XSS) risk. This issue may allow a malicious admin in one realm or a client with registration access to target users in different realms or applications, executing arbitrary JavaScript in their contexts upon form submission. This can enable unauthorized access and harmful actions, compromising the confidentiality, integrity, and availability of the complete KC instance.	1.1.0.Beta2, 2.2.0.CR1, 3.2.1.Final, 3.3.0.CR2, 3.0.0.Final, 2.2.0.Final, 2.0.0.Final, 1.9.3.Final (Show all)	Patch → NO_SAFE_VERSION
CVE-2023-6544	A flaw was found in the Keycloak package. This issue occurs due to a permissive regular expression hardcoded for filtering which allows hosts to register a dynamic client. A malicious user with enough information about the environment could jeopardize an environment with this specific Dynamic Client Registration and TrustedDomain configuration previously unauthorized.	1.1.0.Beta2, 2.2.0.CR1, 3.2.1.Final, 3.3.0.CR2, 3.0.0.Final, 2.2.0.Final, 2.0.0.Final, 1.9.3.Final (Show all)	Patch → NO_SAFE_VERSION
CVE-2023-6484	A log injection flaw was found in Keycloak. A text string may be injected through the authentication form when using the WebAuthn authentication mode. This issue may have a minor impact to the logs integrity.	1.1.0.Beta2, 2.2.0.CR1, 3.2.1.Final, 3.3.0.CR2, 3.0.0.Final, 2.2.0.Final, 2.0.0.Final, 1.9.3.Final (Show all)	Patch → NO_SAFE_VERSION
CVE-2023-6291	A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users.	1.1.0.Beta2, 2.2.0.CR1, 3.2.1.Final, 3.3.0.CR2, 3.0.0.Final, 2.2.0.Final, 2.0.0.Final, 1.9.3.Final (Show all)	Patch → NO_SAFE_VERSION
CVE-2023-6134	A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the result of an incomplete fix for CVE-2020-10748.	1.1.0.Beta2, 2.2.0.CR1, 3.2.1.Final, 3.3.0.CR2, 3.0.0.Final, 2.2.0.Final, 2.0.0.Final, 1.9.3.Final (Show all)	Patch → NO_SAFE_VERSION
CVE-2023-3597	A flaw was found in Keycloak, where it does not correctly validate its client step-up authentication in org.keycloak.authentication. This flaw allows a remote user authenticated with a password to register a false second authentication factor along with an existing one and bypass authentication.	1.1.0.Beta2, 2.2.0.CR1, 3.2.1.Final, 3.3.0.CR2, 3.0.0.Final, 2.2.0.Final, 2.0.0.Final, 1.9.3.Final (Show all)	Patch → NO_SAFE_VERSION
CVE-2023-2585	Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an authorization admin into granting consent to a malicious OAuth client or possible unauthorized access to an existing OAuth client.	1.1.0.Beta2, 2.2.0.CR1, 3.2.1.Final, 3.3.0.CR2, 3.0.0.Final, 2.2.0.Final, 2.0.0.Final, 1.9.3.Final (Show all)	Patch → NO_SAFE_VERSION
CVE-2023-2422	A flaw was found in Keycloak. A Keycloak server configured to support mTLS authentication for OAuth/OpenID clients does not properly verify the client certificate chain. A client that possesses a proper certificate can authorize itself as any other client, therefore, access data that belongs to other clients.	1.1.0.Beta2, 2.2.0.CR1, 3.2.1.Final, 3.3.0.CR2, 3.0.0.Final, 2.2.0.Final, 2.0.0.Final, 1.9.3.Final (Show all)	Patch → NO_SAFE_VERSION
CVE-2023-0657	A flaw was found in Keycloak. This issue occurs due to improperly enforcing token types when validating signatures locally. This could allow an authenticated attacker to exchange a logout token for an access token and possibly gain access to data outside of enforced permissions.	1.1.0.Beta2, 2.2.0.CR1, 3.2.1.Final, 3.3.0.CR2, 3.0.0.Final, 2.2.0.Final, 2.0.0.Final, 1.9.3.Final (Show all)	Patch → NO_SAFE_VERSION
CVE-2023-0264	A flaw was found in Keycloaks OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session tokens. This issue could impact confidentiality, integrity, and availability.	1.1.0.Beta2, 2.2.0.CR1, 3.2.1.Final, 3.3.0.CR2, 3.0.0.Final, 2.2.0.Final, 2.0.0.Final, 1.9.3.Final (Show all)	Patch → NO_SAFE_VERSION
CVE-2022-4361	Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the SAML or OIDC providers. The vulnerability can allow an attacker to execute malicious scripts by setting the AssertionConsumerServiceURL value or the redirect_uri.	1.1.0.Beta2, 2.2.0.CR1, 3.2.1.Final, 3.3.0.CR2, 3.0.0.Final, 2.2.0.Final, 2.0.0.Final, 1.9.3.Final (Show all)	Patch → NO_SAFE_VERSION
CVE-2022-2232	A flaw was found in the Keycloak package. This flaw allows an attacker to utilize an LDAP injection to bypass the username lookup or potentially perform other malicious actions.	1.1.0.Beta2, 2.2.0.CR1, 3.2.1.Final, 3.3.0.CR2, 3.0.0.Final, 2.2.0.Final, 2.0.0.Final, 1.9.3.Final (Show all)	Patch → NO_SAFE_VERSION
CVE-2022-1438	A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability.	1.1.0.Beta2, 2.2.0.CR1, 3.2.1.Final, 3.3.0.CR2, 3.0.0.Final, 2.2.0.Final, 2.0.0.Final, 1.9.3.Final (Show all)	Patch → NO_SAFE_VERSION
CVE-2022-1274	A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users.	1.1.0.Beta2, 2.2.0.CR1, 3.2.1.Final, 3.3.0.CR2, 3.0.0.Final, 2.2.0.Final, 2.0.0.Final, 1.9.3.Final (Show all)	Patch → NO_SAFE_VERSION
CVE-2022-1245	A privilege escalation flaw was found in the token exchange feature of keycloak. Missing authorization allows a client application holding a valid access token to exchange tokens for any target client by passing the client_id of the target. This could allow a client to gain unauthorized access to additional services.	1.1.0.Beta2, 2.2.0.CR1, 3.2.1.Final, 3.3.0.CR2, 3.0.0.Final, 2.2.0.Final, 2.0.0.Final, 1.9.3.Final (Show all)	Patch → NO_SAFE_VERSION
CVE-2021-4133	A flaw was found in Keycloak in versions from 12.0.0 and before 15.1.1 which allows an attacker with any existing user account to create new default user accounts via the administrative REST API even when new user registration is disabled.	1.1.0.Beta2, 2.2.0.CR1, 3.2.1.Final, 3.3.0.CR2, 3.0.0.Final, 2.2.0.Final, 2.0.0.Final, 1.9.3.Final (Show all)	Patch → NO_SAFE_VERSION
CVE-2021-3461	None	1.1.0.Beta2, 2.2.0.CR1, 3.2.1.Final, 3.3.0.CR2, 3.0.0.Final, 2.2.0.Final, 2.0.0.Final, 1.9.3.Final (Show all)	Patch → NO_SAFE_VERSION
CVE-2021-3424	A flaw was found in keycloak as shipped in Red Hat Single Sign-On 7.4 where IDN homograph attacks are possible. A malicious user can register himself with a name already registered and trick admin to grant him extra privileges.	1.1.0.Beta2, 2.2.0.CR1, 3.2.1.Final, 3.3.0.CR2, 3.0.0.Final, 2.2.0.Final, 2.0.0.Final, 1.9.3.Final (Show all)	Patch → NO_SAFE_VERSION
CVE-2020-35509	None	1.1.0.Beta2, 2.2.0.CR1, 3.2.1.Final, 3.3.0.CR2, 3.0.0.Final, 2.2.0.Final, 2.0.0.Final, 1.9.3.Final (Show all)	Patch → NO_SAFE_VERSION
CVE-2020-27838	A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this vulnerability is to data confidentiality.	1.1.0.Beta2, 2.2.0.CR1, 3.2.1.Final, 3.3.0.CR2, 3.0.0.Final, 2.2.0.Final, 2.0.0.Final, 1.9.3.Final (Show all)	Patch → NO_SAFE_VERSION
CVE-2020-1758	A flaw was found in Keycloak in versions before 10.0.0, where it does not perform the TLS hostname verification while sending emails using the SMTP server. This flaw allows an attacker to perform a man-in-the-middle (MITM) attack.	1.1.0.Beta2, 2.2.0.CR1, 3.2.1.Final, 3.3.0.CR2, 3.0.0.Final, 2.2.0.Final, 2.0.0.Final, 1.9.3.Final (Show all)	Patch → NO_SAFE_VERSION
CVE-2020-1744	A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle this events.	1.1.0.Beta2, 2.2.0.CR1, 3.2.1.Final, 3.3.0.CR2, 3.0.0.Final, 2.2.0.Final, 2.0.0.Final, 1.9.3.Final (Show all)	Patch → NO_SAFE_VERSION
CVE-2020-1724	A flaw was found in Keycloak in versions before 9.0.2. This flaw allows a malicious user that is currently logged in, to see the personal information of a previously logged out user in the account manager section.	1.1.0.Beta2, 2.2.0.CR1, 3.2.1.Final, 3.3.0.CR2, 3.0.0.Final, 2.2.0.Final, 2.0.0.Final, 1.9.3.Final (Show all)	Patch → NO_SAFE_VERSION
CVE-2020-14366	A vulnerability was found in keycloak, where path traversal using URL-encoded path segments in the request is possible because the resources endpoint applies a transformation of the url path to the file path. Only few specific folder hierarchies can be exposed by this flaw	1.1.0.Beta2, 2.2.0.CR1, 3.2.1.Final, 3.3.0.CR2, 3.0.0.Final, 2.2.0.Final, 2.0.0.Final, 1.9.3.Final (Show all)	Patch → NO_SAFE_VERSION
CVE-2020-10776	A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack.	1.1.0.Beta2, 2.2.0.CR1, 3.2.1.Final, 3.3.0.CR2, 3.0.0.Final, 2.2.0.Final, 2.0.0.Final, 1.9.3.Final (Show all)	Patch → NO_SAFE_VERSION
CVE-2019-3875	A vulnerability was found in keycloak before 6.0.2. The X.509 authenticator supports the verification of client certificates through the CRL, where the CRL list can be obtained from the URL provided in the certificate itself (CDP) or through the separately configured path. The CRL are often available over the network through unsecured protocols ('http' or 'ldap') and hence the caller should verify the signature and possibly the certification path. Keycloak currently doesn't validate signatures on CRL, which can result in a possibility of various attacks like man-in-the-middle.	1.1.0.Beta2, 2.2.0.CR1, 3.2.1.Final, 3.3.0.CR2, 3.0.0.Final, 2.2.0.Final, 2.0.0.Final, 1.9.3.Final (Show all)	Patch → NO_SAFE_VERSION
CVE-2019-3868	Keycloak up to version 6.0.0 allows the end user token (access or id token JWT) to be used as the session cookie for browser sessions for OIDC. As a result an attacker with access to service provider backend could hijack user’s browser session.	1.1.0.Beta2, 2.2.0.CR1, 3.2.1.Final, 3.3.0.CR2, 3.0.0.Final, 2.2.0.Final, 2.0.0.Final, 1.9.3.Final (Show all)	Patch → NO_SAFE_VERSION
CVE-2019-14837	A flaw was found in keycloack before version 8.0.0. The owner of 'placeholder.org' domain can setup mail server on this domain and knowing only name of a client can reset password and then log in. For example, for client name 'test' the email address will be 'service-account-test@placeholder.org'.	1.1.0.Beta2, 2.2.0.CR1, 3.2.1.Final, 3.3.0.CR2, 3.0.0.Final, 2.2.0.Final, 2.0.0.Final, 1.9.3.Final (Show all)	Patch → NO_SAFE_VERSION
CVE-2019-10201	It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. If an attacker modifies the SAML Response and removes the <Signature> sections, the message is still accepted, and the message can be modified. An attacker could use this flaw to impersonate other users and gain access to sensitive information.	1.1.0.Beta2, 2.2.0.CR1, 3.2.1.Final, 3.3.0.CR2, 3.0.0.Final, 2.2.0.Final, 2.0.0.Final, 1.9.3.Final (Show all)	Patch → NO_SAFE_VERSION
CVE-2019-10199	It was found that Keycloak's account console, up to 6.0.1, did not perform adequate header checks in some requests. An attacker could use this flaw to trick an authenticated user into performing operations via request from an untrusted domain.	1.1.0.Beta2, 2.2.0.CR1, 3.2.1.Final, 3.3.0.CR2, 3.0.0.Final, 2.2.0.Final, 2.0.0.Final, 1.9.3.Final (Show all)	Patch → NO_SAFE_VERSION
CVE-2019-10170	A flaw was found in the Keycloak admin console, where the realm management interface permits a script to be set via the policy. This flaw allows an attacker with authenticated user and realm management permissions to configure a malicious script to trigger and execute arbitrary code with the permissions of the application user.	1.1.0.Beta2, 2.2.0.CR1, 3.2.1.Final, 3.3.0.CR2, 3.0.0.Final, 2.2.0.Final, 2.0.0.Final, 1.9.3.Final (Show all)	Patch → NO_SAFE_VERSION
CVE-2018-14658	A flaw was found in JBOSS Keycloak 3.2.1.Final. The Redirect URL for both Login and Logout are not normalized in org.keycloak.protocol.oidc.utils.RedirectUtils before the redirect url is verified. This can lead to an Open Redirection attack	1.1.0.Beta2, 2.2.0.CR1, 3.2.1.Final, 3.3.0.CR2, 3.0.0.Final, 2.2.0.Final, 2.0.0.Final, 1.9.3.Final (Show all)	Patch → NO_SAFE_VERSION
CVE-2018-14637	The SAML broker consumer endpoint in Keycloak before version 4.6.0.Final ignores expiration conditions on SAML assertions. An attacker can exploit this vulnerability to perform a replay attack.	1.1.0.Beta2, 2.2.0.CR1, 3.2.1.Final, 3.3.0.CR2, 3.0.0.Final, 2.2.0.Final, 2.0.0.Final, 1.9.3.Final (Show all)	Patch → NO_SAFE_VERSION
CVE-2018-10894	It was found that SAML authentication in Keycloak 3.4.3.Final incorrectly authenticated expired certificates. A malicious user could use this to access unauthorized data or possibly conduct further attacks.	1.1.0.Beta2, 2.2.0.CR1, 3.2.1.Final, 3.3.0.CR2, 3.0.0.Final, 2.2.0.Final, 2.0.0.Final, 1.9.3.Final (Show all)	Patch → NO_SAFE_VERSION
CVE-2017-12160	It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks.	1.1.0.Beta2, 2.2.0.CR1, 3.2.1.Final, 3.3.0.CR2, 3.0.0.Final, 2.2.0.Final, 2.0.0.Final, 1.9.3.Final (Show all)	Patch → NO_SAFE_VERSION
CVE-2017-12159	It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks.	1.1.0.Beta2, 2.2.0.CR1, 3.2.1.Final, 3.3.0.CR2, 3.0.0.Final, 2.2.0.Final, 2.0.0.Final, 1.9.3.Final (Show all)	Patch → NO_SAFE_VERSION
CVE-2016-8629	Red Hat Keycloak before version 2.4.0 did not correctly check permissions when handling service account user deletion requests sent to the rest server. An attacker with service account authentication could use this flaw to bypass normal permissions and delete users in a separate realm.	1.1.0.Beta2, 2.2.0.CR1, 2.2.0.Final, 2.0.0.Final, 1.9.3.Final, 1.9.2.Final, 1.9.0.CR1, 1.8.0.Final (Show all)	Patch → NO_SAFE_VERSION
CVE-2014-3709	The org.keycloak.services.resources.SocialResource.callback method in JBoss KeyCloak before 1.0.3.Final allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging lack of CSRF protection.	1.0-beta-2, 1.0-beta-1-20150521, 1.0-beta-1, 1.0.2.Final, 1.0-beta-3, 1.0-alpha-3, 1.0-beta-1-20150523, 1.0-alpha-2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2014-3656	JBoss KeyCloak: XSS in login-status-iframe.html	1.0.2.Final, 1.0.1.Final	Patch → NO_SAFE_VERSION
CVE-2014-3655	JBoss KeyCloak is vulnerable to soft token deletion via CSRF	1.0-beta-2, 1.0-beta-1-20150521, 1.0-beta-1, 1.0-beta-3, 1.0-alpha-3, 1.0-beta-1-20150523, 1.0-alpha-2, 1.0-alpha-1 (Show all)	Patch → NO_SAFE_VERSION
CVE-2014-3652	JBoss KeyCloak: Open redirect vulnerability via failure to validate the redirect URL.	1.0.4.Final, 1.0-beta-2, 1.0-beta-1-20150521, 1.0-beta-1, 1.0.2.Final, 1.0-beta-3, 1.0-alpha-3, 1.0-beta-1-20150523 (Show all)	Patch → NO_SAFE_VERSION
CVE-2014-3651	JBoss KeyCloak before 1.0.3.Final allows remote attackers to cause a denial of service (resource consumption) via a large value in the size parameter to auth/qrcode, related to QR code generation.	1.1.0.Beta2, 1.0.4.Final, 1.0-beta-2, 1.0-beta-1-20150521, 1.0-beta-1, 1.0.2.Final, 1.0-beta-3, 1.0-alpha-3 (Show all)	Patch → NO_SAFE_VERSION

Instantly see if these Keycloak REST Services vulnerabilities affect your code.

Scan for Free

Dependencies

Packages using versions of Keycloak REST Services affected by its vulnerabilities

Dependent Packages
org.keycloak:keycloak-core:
org.keycloak:keycloak-core:
org.keycloak:${keycloak.crypto.artifactId}:
org.freemarker:freemarker:
jakarta.mail:jakarta.mail-api:
org.eclipse.angus:angus-mail:
org.keycloak:keycloak-common:
org.keycloak:keycloak-server-spi:
org.keycloak:keycloak-server-spi-private:
org.twitter4j:twitter4j-core:
org.jboss.logging:jboss-logging:
org.jboss.logging:commons-logging-jboss-logging:
org.jboss.logging:jboss-logging-annotations:
org.jboss.logging:jboss-logging-processor:
org.jboss.resteasy:resteasy-core:
io.quarkus.resteasy.reactive:resteasy-reactive:
io.quarkus.resteasy.reactive:resteasy-reactive-common:
org.apache.httpcomponents:httpclient:
jakarta.ws.rs:jakarta.ws.rs-api:
jakarta.transaction:jakarta.transaction-api:
jakarta.xml.soap:jakarta.xml.soap-api:
org.jboss.resteasy:resteasy-core-spi:
com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer:
com.googlecode.owasp-java-html-sanitizer:java8-shim:
com.googlecode.owasp-java-html-sanitizer:java10-shim:
com.fasterxml.jackson.core:jackson-core:
com.fasterxml.jackson.core:jackson-databind:
com.fasterxml.jackson.core:jackson-annotations:
javax.annotation:javax.annotation-api:
com.fasterxml.jackson.datatype:jackson-datatype-jdk8:
com.fasterxml.woodstox:woodstox-core:${woodstox.version}
com.google.zxing:javase:
org.keycloak:keycloak-saml-core-public:
org.keycloak:keycloak-saml-core:
commons-io:commons-io:
com.apicatalog:titanium-json-ld:
io.setl:rdf-urdna:
junit:junit:
org.hamcrest:hamcrest:
com.icegreen:greenmail:
com.webauthn4j:webauthn4j-core:
com.github.ua-parser:uap-java:
org.eclipse.microprofile.openapi:microprofile-openapi-api:
io.smallrye.common:smallrye-common-annotation:
org.keycloak:keycloak-model-storage-private:
org.keycloak:keycloak-config-api: