Red Hat Keycloak vulnerabilities

CVE-2020-14366 [HIGH] CWE-22 CVE-2020-14366: A vulnerability was found in keycloak, where path traversal using URL-encoded path segments in the r A vulnerability was found in keycloak, where path traversal using URL-encoded path segments in the request is possible because the resources endpoint applies a transformation of the url path to the file path. Only few specific folder hierarchies can be exposed by this flaw

CVE-2020-1758 [MEDIUM] CWE-297 CVE-2020-1758: A flaw was found in Keycloak in versions before 10.0.0, where it does not perform the TLS hostname v A flaw was found in Keycloak in versions before 10.0.0, where it does not perform the TLS hostname verification while sending emails using the SMTP server. This flaw allows an attacker to perform a man-in-the-middle (MITM) attack.

CVE-2020-1714 [HIGH] CWE-20 CVE-2020-1714: A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInp A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution.

CVE-2020-1718 [HIGH] CWE-287 CVE-2020-1718: A flaw was found in the reset credential flow in all Keycloak versions before 8.0.0. This flaw allow A flaw was found in the reset credential flow in all Keycloak versions before 8.0.0. This flaw allows an attacker to gain unauthorized access to the application.

CVE-2020-1698 [MEDIUM] CWE-200 CVE-2020-1698: A flaw was found in keycloak in versions before 9.0.0. A logged exception in the HttpMethod class ma A flaw was found in keycloak in versions before 9.0.0. A logged exception in the HttpMethod class may leak the password given as parameter. The highest threat from this vulnerability is to data confidentiality.

CVE-2020-1724 [MEDIUM] CWE-613 CVE-2020-1724: A flaw was found in Keycloak in versions before 9.0.2. This flaw allows a malicious user that is cur A flaw was found in Keycloak in versions before 9.0.2. This flaw allows a malicious user that is currently logged in, to see the personal information of a previously logged out user in the account manager section.

CVE-2020-1744 [MEDIUM] CWE-755 CVE-2020-1744: A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authenticatio A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle this events.

CVE-2020-1731 [CRITICAL] CWE-341 CVE-2020-1731: A flaw was found in all versions of the Keycloak operator, before version 8.0.2,(community only) whe A flaw was found in all versions of the Keycloak operator, before version 8.0.2,(community only) where the operator generates a random admin password when installing Keycloak, however the password remains the same when deployed to the same OpenShift namespace.

CVE-2020-1697 [MEDIUM] CWE-79 CVE-2020-1697: It was found in all keycloak versions before 9.0.0 that links to external applications (Application It was found in all keycloak versions before 9.0.0 that links to external applications (Application Links) in the admin console are not validated properly and could allow Stored XSS attacks. An authed malicious user could create URLs to trick users in other realms, and possibly conduct further attacks.

CVE-2019-14837 [CRITICAL] CWE-547 CVE-2019-14837: A flaw was found in keycloack before version 8.0.0. The owner of 'placeholder.org' domain can setup A flaw was found in keycloack before version 8.0.0. The owner of 'placeholder.org' domain can setup mail server on this domain and knowing only name of a client can reset password and then log in. For example, for client name 'test' the email address will be '[email protected]'.

CVE-2019-10201 [HIGH] CWE-592 CVE-2019-10201: It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signa It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. If an attacker modifies the SAML Response and removes the sections, the message is still accepted, and the message can be modified. An attacker could use this flaw to impersonate other users and gain access to sensitive information.

CVE-2019-10199 [HIGH] CWE-352 CVE-2019-10199: It was found that Keycloak's account console, up to 6.0.1, did not perform adequate header checks in It was found that Keycloak's account console, up to 6.0.1, did not perform adequate header checks in some requests. An attacker could use this flaw to trick an authenticated user into performing operations via request from an untrusted domain.

CVE-2019-3875 [MEDIUM] CWE-295 CVE-2019-3875: A vulnerability was found in keycloak before 6.0.2. The X.509 authenticator supports the verificatio A vulnerability was found in keycloak before 6.0.2. The X.509 authenticator supports the verification of client certificates through the CRL, where the CRL list can be obtained from the URL provided in the certificate itself (CDP) or through the separately configured path. The CRL are often available over the network through unsecured protocols ('http

CVE-2019-10157 [MEDIUM] CWE-345 CVE-2019-10157: It was found that Keycloak's Node.js adapter before version 4.8.3 did not properly verify the web to It was found that Keycloak's Node.js adapter before version 4.8.3 did not properly verify the web token received from the server in its backchannel logout . An attacker with local access could use this to construct a malicious web token setting an NBF parameter that could prevent user access indefinitely.

CVE-2019-3868 [LOW] CWE-200 CVE-2019-3868: Keycloak up to version 6.0.0 allows the end user token (access or id token JWT) to be used as the se Keycloak up to version 6.0.0 allows the end user token (access or id token JWT) to be used as the session cookie for browser sessions for OIDC. As a result an attacker with access to service provider backend could hijack user’s browser session.

CVE-2018-14657 [HIGH] CWE-307 CVE-2018-14657: A flaw was found in Keycloak 4.2.1.Final, 4.3.0.Final. When TOPT enabled, an improper implementation A flaw was found in Keycloak 4.2.1.Final, 4.3.0.Final. When TOPT enabled, an improper implementation of the Brute Force detection algorithm will not enforce its protection measures.

CVE-2018-14655 [MEDIUM] CWE-79 CVE-2018-14655: A flaw was found in Keycloak 3.4.3.Final, 4.0.0.Beta2, 4.3.0.Final. When using 'response_mode=form_p A flaw was found in Keycloak 3.4.3.Final, 4.0.0.Beta2, 4.3.0.Final. When using 'response_mode=form_post' it is possible to inject arbitrary Javascript-Code via the 'state'-parameter in the authentication URL. This allows an XSS-Attack upon succesfully login.

CVE-2018-14658 [MEDIUM] CWE-601 CVE-2018-14658: A flaw was found in JBOSS Keycloak 3.2.1.Final. The Redirect URL for both Login and Logout are not n A flaw was found in JBOSS Keycloak 3.2.1.Final. The Redirect URL for both Login and Logout are not normalized in org.keycloak.protocol.oidc.utils.RedirectUtils before the redirect url is verified. This can lead to an Open Redirection attack

CVE-2016-8609 [HIGH] CWE-384 CVE-2016-8609: It was found that the keycloak before 2.3.0 did not implement authentication flow correctly. An atta It was found that the keycloak before 2.3.0 did not implement authentication flow correctly. An attacker could use this flaw to construct a phishing URL, from which he could hijack the user's session. This could lead to information disclosure, or permit further possible attacks.

CVE-2018-10894 [MEDIUM] CWE-345 CVE-2018-10894: It was found that SAML authentication in Keycloak 3.4.3.Final incorrectly authenticated expired cert It was found that SAML authentication in Keycloak 3.4.3.Final incorrectly authenticated expired certificates. A malicious user could use this to access unauthorized data or possibly conduct further attacks.