org.keycloak:keycloak-core (maven) security advisories

HIGH 8.8

Maven

CVE-2023-4918

Keycloak vulnerable to Plaintext Storage of User Password

Sep 12, 2023

UNKNOWN

Maven

GHSA-755v-r4x4-qf7m

Stored Cross-Site Scripting (XSS) in Keycloak via groups dropdown

Nov 29, 2022

MEDIUM 5.4

Maven

CVE-2022-0225

Keycloak XSS via use of malicious payload as group name when creating new group from admin console

Aug 27, 2022

HIGH 7.1

Maven

CVE-2024-10039

Keycloak mTLS Authentication Bypass via Reverse Proxy TLS Termination

Nov 25, 2024

MEDIUM 4.6

Maven

CVE-2023-6927

keycloak-core: open redirect via "form_post.jwt" JARM response mode

Jan 23, 2024

MEDIUM 4.4

Maven

CVE-2024-7260

Keycloak Open Redirect vulnerability

Sep 9, 2024

MEDIUM 6.5

Maven

CVE-2023-6841

Keycloak Denial of Service vulnerability

Sep 10, 2024

MEDIUM 4.8

Maven

CVE-2024-7318

Keycloaks's One Time Passcode (OTP) is valid longer than expiration timeSeverity

Oct 14, 2024

LOW 3.8

Maven

CVE-2024-4028

Keycloak allows cross-site scripting (XSS)

Feb 18, 2025

MEDIUM 5.4

Maven

CVE-2020-35509

Keycloak vulnerable to Improper Certificate Validation

Aug 24, 2022

MEDIUM 4.8

Maven

GHSA-57rh-gr4v-j5f6

Duplicate Advisory: Keycloak Uses a Key Past its Expiration Date

Sep 9, 2024

LOW 3.7

Maven

GHSA-3hrr-xwvg-hxvr

Duplicate Advisory: Keycloak DoS via account lockout

Feb 29, 2024

MEDIUM 5.3

Maven

GHSA-j9xq-j329-2xvg

Duplicate Advisory: Keycloak user may register themselves with same email ID of any existing user

Aug 27, 2022

MEDIUM 6.5

Maven

GHSA-vhvq-jh34-3fc8

Duplicate Advisory: Keycloak allows impersonation and lockout due to email trust not being handled correctly

Jan 13, 2023

MEDIUM 6.5

Maven

GHSA-c892-cwq6-qrqf

Duplicate Advisory: Keycloak vulnerable to untrusted certificate validation

May 26, 2023

UNKNOWN

Maven

GHSA-qgm9-232x-hwpx

Moderate severity vulnerability that affects org.keycloak:keycloak-core

Oct 18, 2018

MEDIUM 5.4

Maven

GHSA-w8v7-c7pm-7wfr

Duplicate Advisory: Keycloak vulnerable to Cross-Site Scripting (XSS)

Sep 2, 2022

UNKNOWN

Maven

CVE-2017-12161

Moderate severity vulnerability that affects org.keycloak:keycloak-core

Oct 18, 2018

UNKNOWN

Maven

CVE-2020-1728

Improper Restriction of Rendered UI Layers or Frames in Keycloak

Apr 15, 2020

UNKNOWN

Maven

CVE-2016-8629

Moderate severity vulnerability that affects org.keycloak:keycloak-core

Oct 18, 2018

LOW 2.7

Maven

GHSA-gmrm-8fx4-66x7

Duplicate Advisory: Keycloak: Leak of configured LDAP bind credentials

Jun 18, 2024

MEDIUM 4.3

Maven

CVE-2020-1724

Keycloak Insufficient Session Expiry

May 24, 2022

MEDIUM 4.7

Maven

CVE-2020-10686

Keycloak users may be able to remove MFA from other users' devices

May 24, 2022

MEDIUM 6.5

Maven

CVE-2020-27838

Keycloak discloses information without authentication

May 24, 2022

MEDIUM 5.5

Maven

CVE-2020-1698

Keycloak leaks sensitive information in logged exceptions

May 24, 2022

MEDIUM 6.5

Maven

CVE-2023-0105

Keycloak: Impersonation and lockout possible through incorrect handling of email trust

Jul 18, 2023

MEDIUM 6.8

Maven

CVE-2021-20262

Keycloak Missing authentication for critical function

Mar 12, 2021

MEDIUM 6.5

Maven

CVE-2023-1664

Keycloak Untrusted Certificate Validation vulnerability

Jun 30, 2023

MEDIUM 6.1

Maven

CVE-2014-3656

JBoss KeyCloak Cross-site Scripting Vulnerability

May 17, 2022

HIGH 8.8

Maven

CVE-2020-1714

Improper Input Validation in Keycloak

Feb 9, 2022

MEDIUM 6.1

Maven

CVE-2018-14658

Keycloak Open Redirect

May 13, 2022

MEDIUM 4.3

Maven

CVE-2021-3856

Keycloak has Files or Directories Accessible to External Parties

Aug 27, 2022

CRITICAL 9.1

Maven

CVE-2019-14837

keycloak vulnerable to unauthorized login via mail server setup

May 24, 2022

MEDIUM 5.9

Maven

CVE-2017-2585

keycloak-core vulnerable to timing attacks against JWS token verification

Oct 18, 2018

MEDIUM 6.5

Maven

CVE-2017-2582

keycloak-core discloses system properties

Oct 18, 2018

MEDIUM 6.5

Maven

CVE-2023-0091

Keycloak has lack of validation of access token on client registrations endpoint

Jan 12, 2023

MEDIUM 6.5

Maven

CVE-2022-1466

Improper authorization in Keycloak

Apr 27, 2022

HIGH 7.5

Maven

CVE-2021-3632

Keycloak allows anyone to register new security device or key for any user by using WebAuthn password-less login flow

Aug 27, 2022

MEDIUM 6.1

Maven

CVE-2021-20323

Cross-site Scripting in Keycloak

Mar 26, 2022

HIGH 7.3

Maven

CVE-2021-20202

Temporary Directory Hijacking Vulnerability in Keycloak

Mar 18, 2022

CRITICAL 9.6

Maven

CVE-2021-20195

keycloak Self Stored Cross-site Scripting vulnerability

Jun 8, 2021

HIGH 8.8

Maven

CVE-2020-27826

Authentication Bypass in keycloak

Mar 18, 2022

MEDIUM 5.6

Maven

CVE-2020-1744

Exposure of Sensitive Information in keycloak

Sep 20, 2021

CRITICAL 9.8

Maven

CVE-2020-1731

Predictable password in Keycloak

Apr 15, 2020

MEDIUM 5.4

Maven

CVE-2020-1697

XSS in Keycloak

Apr 15, 2020

HIGH 8.1

Maven

CVE-2020-14389

Improper privilege management in Keycloak

Nov 10, 2021

MEDIUM 5.3

Maven

CVE-2020-10770

Keycloak vulnerable to Server-Side Request Forgery

May 24, 2022

MEDIUM 4.8

Maven

CVE-2019-3875

Improper Certificate Validation and Insufficient Verification of Data Authenticity in Keycloak

Jun 27, 2019

LOW 3.8

Maven

CVE-2019-3868

Exposure of Sensitive Information to an Unauthorized Actor in Keycloak

Apr 30, 2019

MEDIUM 4.3

Maven

CVE-2019-14820

Exposure of Sensitive Information to an Unauthorized Actor in Keycloak

Apr 15, 2020

HIGH 8.1

Maven

CVE-2019-10201

Improper Verification of Cryptographic Signature in keycloak

Sep 23, 2019

HIGH 8.8

Maven

CVE-2019-10199

Improper Input Validation and Cross-Site Request Forgery in Keycloak

Sep 23, 2019

HIGH 7.2

Maven

CVE-2019-10170

Privilege Defined With Unsafe Actions in Keycloak

Oct 21, 2021

HIGH 8.1

Maven

CVE-2018-14637

Improper Authentication in Keycloak

Dec 21, 2018

MEDIUM 4.9

Maven

CVE-2018-10912

Moderate severity vulnerability that affects org.keycloak:keycloak-core

Oct 18, 2018

HIGH 7.5

Maven

CVE-2017-2646

Keycloak vulnerable to infinite loop based Denial of Service

Oct 18, 2018

HIGH 8.1

Maven

CVE-2016-8609

Improper Authentication in org.keycloak:keycloak-core

Oct 18, 2018

HIGH 7.5

Maven

CVE-2014-3651

Keycloak vulnerable to uncontrolled resource consumption

Oct 18, 2018

org.keycloak:keycloak-core

Vulnerabilities

Keycloak vulnerable to Plaintext Storage of User Password

Stored Cross-Site Scripting (XSS) in Keycloak via groups dropdown

Keycloak XSS via use of malicious payload as group name when creating new group from admin console

Keycloak mTLS Authentication Bypass via Reverse Proxy TLS Termination

keycloak-core: open redirect via "form_post.jwt" JARM response mode

Keycloak Open Redirect vulnerability

Keycloak Denial of Service vulnerability

Keycloaks's One Time Passcode (OTP) is valid longer than expiration timeSeverity

Keycloak allows cross-site scripting (XSS)

Keycloak vulnerable to Improper Certificate Validation

Duplicate Advisory: Keycloak Uses a Key Past its Expiration Date

Duplicate Advisory: Keycloak DoS via account lockout

Duplicate Advisory: Keycloak user may register themselves with same email ID of any existing user

Duplicate Advisory: Keycloak allows impersonation and lockout due to email trust not being handled correctly

Duplicate Advisory: Keycloak vulnerable to untrusted certificate validation

Moderate severity vulnerability that affects org.keycloak:keycloak-core

Duplicate Advisory: Keycloak vulnerable to Cross-Site Scripting (XSS)

Moderate severity vulnerability that affects org.keycloak:keycloak-core

Improper Restriction of Rendered UI Layers or Frames in Keycloak

Moderate severity vulnerability that affects org.keycloak:keycloak-core

Duplicate Advisory: Keycloak: Leak of configured LDAP bind credentials

Keycloak Insufficient Session Expiry

Keycloak users may be able to remove MFA from other users' devices

Keycloak discloses information without authentication

Keycloak leaks sensitive information in logged exceptions

Keycloak: Impersonation and lockout possible through incorrect handling of email trust

Keycloak Missing authentication for critical function

Keycloak Untrusted Certificate Validation vulnerability

JBoss KeyCloak Cross-site Scripting Vulnerability

Improper Input Validation in Keycloak

Keycloak Open Redirect

Keycloak has Files or Directories Accessible to External Parties

keycloak vulnerable to unauthorized login via mail server setup

keycloak-core vulnerable to timing attacks against JWS token verification

keycloak-core discloses system properties

Keycloak has lack of validation of access token on client registrations endpoint

Improper authorization in Keycloak

Keycloak allows anyone to register new security device or key for any user by using WebAuthn password-less login flow

Cross-site Scripting in Keycloak

Temporary Directory Hijacking Vulnerability in Keycloak

keycloak Self Stored Cross-site Scripting vulnerability

Authentication Bypass in keycloak

Exposure of Sensitive Information in keycloak

Predictable password in Keycloak

XSS in Keycloak

Improper privilege management in Keycloak

Keycloak vulnerable to Server-Side Request Forgery

Improper Certificate Validation and Insufficient Verification of Data Authenticity in Keycloak

Exposure of Sensitive Information to an Unauthorized Actor in Keycloak

Exposure of Sensitive Information to an Unauthorized Actor in Keycloak

Improper Verification of Cryptographic Signature in keycloak

Improper Input Validation and Cross-Site Request Forgery in Keycloak

Privilege Defined With Unsafe Actions in Keycloak

Improper Authentication in Keycloak

Moderate severity vulnerability that affects org.keycloak:keycloak-core

Keycloak vulnerable to infinite loop based Denial of Service

Improper Authentication in org.keycloak:keycloak-core

Keycloak vulnerable to uncontrolled resource consumption

Start Securing