org.keycloak:keycloak-services 21.0.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.keycloak:keycloak-services package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Allocation of Resources Without Limits or Throttling org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when caching JWT tokens, which are not limited in their expiration time. An attacker can cause the consumption of excessive memory by sending malicious JWT tokens. How to fix Allocation of Resources Without Limits or Throttling? There is no fixed version for `org.keycloak:keycloak-services`.	[0,)
M Incorrect User Management org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Incorrect User Management in `oidc/OrganizationMembershipMapper.java`, which relies on matching the domain of a user's email address to map them to an organization. A user can make an unauthorized token claim including association with an organization that they are not actually mapped to. If self-registration is enabled and unrestricted, this is easier to exploit. How to fix Incorrect User Management? Upgrade `org.keycloak:keycloak-services` to version 26.1.3 or higher.	[,26.1.3)
M Exposure of Sensitive Information Through Environmental Variables org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Exposure of Sensitive Information Through Environmental Variables through user-configurable URLs. Exploiting this vulnerability is possible with the configuration of backchannel logout URLs or admin URLs, when including placeholders like `${env.VARNAME}` or `${PROPNAME}`, which are replaced with actual values during URL processing. An attacker can access sensitive server environment variables and system properties. How to fix Exposure of Sensitive Information Through Environmental Variables? Upgrade `org.keycloak:keycloak-services` to version 26.0.8 or higher.	[,26.0.8)
M Denial of Service (DoS) org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Denial of Service (DoS) by modification of security headers and inserting newlines. An attacker can cause the server to process a terminated request, leading to service failure. Note: This is only exploitable if the attacker can change realm settings. How to fix Denial of Service (DoS)? Upgrade `org.keycloak:keycloak-services` to version 26.0.8 or higher.	[,26.0.8)
M External Control of File Name or Path org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to External Control of File Name or Path. An attacker could read sensitive information from a Vault file that is not within the expected context by exploiting this vulnerability. Note: This is only exploitable if the attacker has previous high access to the Keycloak server in order to perform resource creation. How to fix External Control of File Name or Path? Upgrade `org.keycloak:keycloak-services` to version 26.0.6 or higher.	[,26.0.6)
H Regular Expression Denial of Service (ReDoS) org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the `SearchQueryUtils` method due to improper input sanitization. An attacker could exhaust system resources and achieve denial of service by exploiting this vulnerability. How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `org.keycloak:keycloak-services` to version 26.0.6 or higher.	[,26.0.6)
M HTTP Request Smuggling org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to HTTP Request Smuggling due to improper handling of proxy headers resulting in costly DNS resolution operations. An attacker could tie up IO threads and potentially cause a denial of service by exploiting these operations. Notes: This is only exploitable if the attacker has access to send requests to a Keycloak instance that is configured to accept proxy headers, specifically when reverse proxies do not overwrite incoming headers, and Keycloak is configured to trust these headers. For versions 26.x, this is only exploitable if the realm must have `SslRequired=EXTERNAL` (the default), HTTP must be enabled, the instance must not be using a full hostname URL, access must come from behind a proxy (assuming the proxy overwrites the `X-Forwarded-For` header), and trusted proxies must not be set or must incorrectly trust the client from which the request is originating. How to fix HTTP Request Smuggling? Upgrade `org.keycloak:keycloak-services` to version 26.0.6 or higher.	[,26.0.6)
M Open Redirect org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Open Redirect due to a misconfiguration flaw in the validation of redirect URIs. An attacker can redirect users to an arbitrary URL and potentially expose sensitive information such as authorization codes, leading to session hijacking. Exploiting this vulnerability is possible if a `Valid Redirect URI` is set to `http://localhost/` or `http://127.0.0.1/`. How to fix Open Redirect? Upgrade `org.keycloak:keycloak-services` to version 22.0.13, 24.0.8, 25.0.6 or higher.	[,22.0.13)[24.0.0,24.0.8)[25.0.0,25.0.6)
H URL Redirection to Untrusted Site ('Open Redirect') org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to URL Redirection to Untrusted Site ('Open Redirect') due to a misconfiguration flaw in the validation of redirect URIs. An attacker can redirect users to an arbitrary URL and potentially expose sensitive information such as authorization codes, leading to session hijacking. Note: This is only exploitable if a 'Valid Redirect URI' is set to `http://localhost` or `http://127.0.0.1`. How to fix URL Redirection to Untrusted Site ('Open Redirect')? Upgrade `org.keycloak:keycloak-services` to version 22.0.13, 24.0.8, 25.0.6 or higher.	[,22.0.13)[23.0.0,24.0.8)[25.0.0,25.0.6)
M Open Redirect org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Open Redirect via the `referrer` and `referrer_uri` parameters. This allows an attacker who can convince an admin user to follow a malicious link - which may be further obfuscated by means such as URL encoding - to be redirected to a malicious location. How to fix Open Redirect? Upgrade `org.keycloak:keycloak-services` to version 25.0.0 or higher.	[,25.0.0)
M Improper Enforcement of a Single, Unique Action org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Enforcement of a Single, Unique Action allowing an attacker to bypass brute force protection mechanisms by initiating multiple login requests simultaneously, thus exceeding the configured limits for failed attempts, before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems. Note: This is only exploitable if Keycloak is configured with Brute Force Protection. How to fix Improper Enforcement of a Single, Unique Action? Upgrade `org.keycloak:keycloak-services` to version 24.0.3 or higher.	[,24.0.3)
M Improper Authentication org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Authentication due to improper handling of session management during the re-authentication process. An attacker can hijack an active session by exploiting the flawed re-authentication mechanism. How to fix Improper Authentication? Upgrade `org.keycloak:keycloak-services` to version 22.0.10, 24.0.3 or higher.	[,22.0.10)[23.0.0,24.0.3)
L Overly Restrictive Account Lockout Mechanism org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Overly Restrictive Account Lockout Mechanism due to a flaw in the account lockout mechanism. This issue may allow a remote unauthenticated attacker to prevent legitimate users from accessing their accounts by exploiting the account lockout functionality. Note: This is only exploitable if the realm is configured to use "User (Self) registration", the user registers with a username in email format, and the attacker discovers a valid email address for an account. How to fix Overly Restrictive Account Lockout Mechanism? Upgrade `org.keycloak:keycloak-services` to version 24.0.0 or higher.	[,24.0.0)
L Always-Incorrect Control Flow Implementation org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation where an attacker is able to register himself with the username same as the email ID of any existing user. This may cause trouble in getting password recovery email in case the user forgets the password. How to fix Always-Incorrect Control Flow Implementation? Upgrade `org.keycloak:keycloak-services` to version 24.0.0 or higher.	[,24.0.0)
H Improper Privilege Management org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Privilege Management via the admin REST API endpoints. An attacker with low privileges can perform actions reserved for administrators, potentially leading to data breaches or system compromise by exploiting administrative functionalities without proper authorization. How to fix Improper Privilege Management? Upgrade `org.keycloak:keycloak-services` to version 24.0.5 or higher.	[,24.0.5)
M Insecure Storage of Sensitive Information org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Insecure Storage of Sensitive Information through PAR (Pushed authorization request) clients when using `client_secret_post` based authentication. This vulnerability derived from client-provided parameters that were included in plain text within the `KC_RESTART` cookie, which the authorization server returned in its HTTP response to a `request_uri` authorization request. To exploit this vulnerability, an attacker needs to intercept the HTTP response from the authorization server, which might result in the disclosure of sensitive information. Note If you use OIDC confidential clients together with PAR and use client authentication based on `client_id` and `client_secret` sent as parameters in the HTTP request body (method `client_secret_post` specified in the OIDC specification), it is highly encouraged to rotate your clients' client secrets after upgrading to this version. How to fix Insecure Storage of Sensitive Information? Upgrade `org.keycloak:keycloak-services` to version 24.0.5 or higher.	[,24.0.5)
M Cleartext Storage of Sensitive Information in a Cookie org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Cleartext Storage of Sensitive Information in a Cookie in the OAuth 2.0 Pushed Authorization Requests (PAR) through the `KC_RESTART` cookie. An attacker can access sensitive client-provided parameters by intercepting HTTP responses from the authorization server. How to fix Cleartext Storage of Sensitive Information in a Cookie? Upgrade `org.keycloak:keycloak-services` to version 24.0.5 or higher.	[7.0.0,24.0.5)
M Improper Input Validation org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Input Validation due to improper handling of error messages during the `WebAuthn` authentication or registration process. An attacker can inject malicious content into the logs by sending crafted error messages from the browser client during setup or authentication. How to fix Improper Input Validation? Upgrade `org.keycloak:keycloak-services` to version 23.0.5 or higher.	[,23.0.5)
H Origin Validation Error org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Origin Validation Error due to the `checkLoginIframe` process. An attacker can significantly impact the application's availability by sending millions of requests in seconds using simple code. How to fix Origin Validation Error? Upgrade `org.keycloak:keycloak-services` to version 24.0.3 or higher.	[,24.0.3)
L Authentication Bypass org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Authentication Bypass due to improper enforcement of token types when validating signatures locally. An authenticated attacker could exchange a logout token for an access token and possibly gain access to data outside of enforced permissions. How to fix Authentication Bypass? Upgrade `org.keycloak:keycloak-services` to version 24.0.3 or higher.	[,24.0.3)
H Open Redirect org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Open Redirect due to an issue in the `redirect_uri` validation logic. By exploiting this vulnerability an attacker is allowed to bypass otherwise explicitly allowed hosts. How to fix Open Redirect? Upgrade `org.keycloak:keycloak-services` to version 24.0.3 or higher.	[,24.0.3)
H Cross-site Scripting (XSS) org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to including JavaScript URIs in the SAML Assertion Consumer Service POST Binding URL (ACS). An attacker can execute arbitrary scripts in the context of the embedding origin on form submission. How to fix Cross-site Scripting (XSS)? Upgrade `org.keycloak:keycloak-services` to version 24.0.3 or higher.	[,24.0.3)
M Authorization Bypass Through User-Controlled Key org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key due to a permissive regular expression hardcoded for filtering allowed hosts to register a dynamic client. A unauthorized user with enough information about the environment could benefit and jeopardize an environment with this specific Dynamic Client Registration with `TrustedDomain` configuration. How to fix Authorization Bypass Through User-Controlled Key? Upgrade `org.keycloak:keycloak-services` to version 24.0.3 or higher.	[,24.0.3)
M Missing Critical Step in Authentication org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Missing Critical Step in Authentication in the form of not sufficiently enforcing the second factor in multifactor authentication. A user can register a second factor for a known account, allowing step-up authentication. How to fix Missing Critical Step in Authentication? Upgrade `org.keycloak:keycloak-services` to version 22.0.10, 24.0.3 or higher.	[,22.0.10)[23.0.0,24.0.3)
M Improper Authorization org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Authorization such that the verified state is not reset when the email changes. It is possible for users to shadow others with the same email and lockout or impersonate them. How to fix Improper Authorization? Upgrade `org.keycloak:keycloak-services` to version 22.0.1 or higher.	[,22.0.1)
M Open Redirect org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Open Redirect due to improper validation of redirect URIs using the `form_post.jwt` response mode. An attacker can redirect a user to a malicious site and potentially steal authorization codes or tokens by exploiting the use of a wildcard in the JARM response. How to fix Open Redirect? Upgrade `org.keycloak:keycloak-services` to version 23.0.4 or higher.	[,23.0.4)
M Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) via the `OIDC redirect_uri` function. An attacker can submit a specially crafted request leading to cross-site scripting or further attacks by appending a wildcard to the token. How to fix Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)? Upgrade `org.keycloak:keycloak-services` to version 22.0.7 or higher.	[,22.0.7)
M LDAP Injection org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to LDAP Injection through the `UsernameForm` login process due to improper escape of LDAP ID. An attacker can access existing usernames in the server by exploiting an LDAP query. How to fix LDAP Injection? Upgrade `org.keycloak:keycloak-services` to version 23.0.1 or higher.	[,23.0.1)
M Credential Exposure org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Credential Exposure. When a user registers with the registration flow, the `password` and `password-confirm` fields from the form are treated as regular attributes. All users and clients with proper rights/roles are able to retrieve the user's passwords in cleartext. How to fix Credential Exposure? Upgrade `org.keycloak:keycloak-services` to version 22.0.3 or higher.	[,22.0.3)
H Improper Certificate Validation org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Certificate Validation for OAuth/OpenID clients. When a Keycloak server is configured to support mTLS authentication for OAuth/OpenID clients, it does not properly verify the client certificate chain. A client with a proper certificate can authorize itself as any other client and, therefore, access data belonging to other clients. How to fix Improper Certificate Validation? Upgrade `org.keycloak:keycloak-services` to version 21.1.2 or higher.	[,21.1.2)
M Cross-site Scripting (XSS) org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper sanitization of URI-schemes on SAML and OIDC via the `AssertionConsumerServiceURL` implementation. Exploiting this vulnerability is possible by sending a crafted SAML XML request. How to fix Cross-site Scripting (XSS)? Upgrade `org.keycloak:keycloak-services` to version 21.1.2 or higher.	[,21.1.2)
L Authentication Bypass by Spoofing org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Authentication Bypass by Spoofing within the Keycloak Device Authorisation Grant due to improper verification of the device code holder. Exploiting this vulnerability is possible under certain pre-conditions and it allows an attacker to spoof parts of the device flow and use a `device_code` to retrieve an access token for other OAuth clients. How to fix Authentication Bypass by Spoofing? Upgrade `org.keycloak:keycloak-services` to version 21.1.2 or higher.	[,21.1.2)
H Insufficient Verification of Data Authenticity org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity such that Keycloak's OpenID Connect user authentication was found to incorrectly authenticate requests. An authenticated attacker who could also obtain a certain piece of info from a user request, from a victim within the same realm, can use that data to impersonate the victim and generate new session tokens. How to fix Insufficient Verification of Data Authenticity? Upgrade `org.keycloak:keycloak-services` to version 21.0.1 or higher.	[,21.0.1)

Vulnerability

Vulnerable Version

Allocation of Resources Without Limits or Throttling

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when caching JWT tokens, which are not limited in their expiration time. An attacker can cause the consumption of excessive memory by sending malicious JWT tokens.

How to fix Allocation of Resources Without Limits or Throttling?

There is no fixed version for org.keycloak:keycloak-services.

[0,)

Incorrect User Management

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Incorrect User Management in oidc/OrganizationMembershipMapper.java, which relies on matching the domain of a user's email address to map them to an organization. A user can make an unauthorized token claim including association with an organization that they are not actually mapped to. If self-registration is enabled and unrestricted, this is easier to exploit.

How to fix Incorrect User Management?

Upgrade org.keycloak:keycloak-services to version 26.1.3 or higher.

[,26.1.3)

Exposure of Sensitive Information Through Environmental Variables

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Exposure of Sensitive Information Through Environmental Variables through user-configurable URLs.

Exploiting this vulnerability is possible with the configuration of backchannel logout URLs or admin URLs, when including placeholders like ${env.VARNAME} or ${PROPNAME}, which are replaced with actual values during URL processing. An attacker can access sensitive server environment variables and system properties.

How to fix Exposure of Sensitive Information Through Environmental Variables?

Upgrade org.keycloak:keycloak-services to version 26.0.8 or higher.

[,26.0.8)

Denial of Service (DoS)

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Denial of Service (DoS) by modification of security headers and inserting newlines. An attacker can cause the server to process a terminated request, leading to service failure.

Note: This is only exploitable if the attacker can change realm settings.

How to fix Denial of Service (DoS)?

Upgrade org.keycloak:keycloak-services to version 26.0.8 or higher.

[,26.0.8)

External Control of File Name or Path

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to External Control of File Name or Path. An attacker could read sensitive information from a Vault file that is not within the expected context by exploiting this vulnerability.

Note:

This is only exploitable if the attacker has previous high access to the Keycloak server in order to perform resource creation.

How to fix External Control of File Name or Path?

Upgrade org.keycloak:keycloak-services to version 26.0.6 or higher.

[,26.0.6)

Regular Expression Denial of Service (ReDoS)

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the SearchQueryUtils method due to improper input sanitization. An attacker could exhaust system resources and achieve denial of service by exploiting this vulnerability.

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade org.keycloak:keycloak-services to version 26.0.6 or higher.

[,26.0.6)

HTTP Request Smuggling

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to HTTP Request Smuggling due to improper handling of proxy headers resulting in costly DNS resolution operations. An attacker could tie up IO threads and potentially cause a denial of service by exploiting these operations.

Notes:

This is only exploitable if the attacker has access to send requests to a Keycloak instance that is configured to accept proxy headers, specifically when reverse proxies do not overwrite incoming headers, and Keycloak is configured to trust these headers.
For versions 26.x, this is only exploitable if the realm must have SslRequired=EXTERNAL (the default), HTTP must be enabled, the instance must not be using a full hostname URL, access must come from behind a proxy (assuming the proxy overwrites the X-Forwarded-For header), and trusted proxies must not be set or must incorrectly trust the client from which the request is originating.

How to fix HTTP Request Smuggling?

Upgrade org.keycloak:keycloak-services to version 26.0.6 or higher.

[,26.0.6)

Open Redirect

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Open Redirect due to a misconfiguration flaw in the validation of redirect URIs. An attacker can redirect users to an arbitrary URL and potentially expose sensitive information such as authorization codes, leading to session hijacking. Exploiting this vulnerability is possible if a Valid Redirect URI is set to http://localhost/ or http://127.0.0.1/.

How to fix Open Redirect?

Upgrade org.keycloak:keycloak-services to version 22.0.13, 24.0.8, 25.0.6 or higher.

[,22.0.13)[24.0.0,24.0.8)[25.0.0,25.0.6)

URL Redirection to Untrusted Site ('Open Redirect')

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to URL Redirection to Untrusted Site ('Open Redirect') due to a misconfiguration flaw in the validation of redirect URIs. An attacker can redirect users to an arbitrary URL and potentially expose sensitive information such as authorization codes, leading to session hijacking.

Note: This is only exploitable if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1.

How to fix URL Redirection to Untrusted Site ('Open Redirect')?

Upgrade org.keycloak:keycloak-services to version 22.0.13, 24.0.8, 25.0.6 or higher.

[,22.0.13)[23.0.0,24.0.8)[25.0.0,25.0.6)

Open Redirect

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Open Redirect via the referrer and referrer_uri parameters. This allows an attacker who can convince an admin user to follow a malicious link - which may be further obfuscated by means such as URL encoding - to be redirected to a malicious location.

How to fix Open Redirect?

Upgrade org.keycloak:keycloak-services to version 25.0.0 or higher.

[,25.0.0)

Improper Enforcement of a Single, Unique Action

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Enforcement of a Single, Unique Action allowing an attacker to bypass brute force protection mechanisms by initiating multiple login requests simultaneously, thus exceeding the configured limits for failed attempts, before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.

Note: This is only exploitable if Keycloak is configured with Brute Force Protection.

How to fix Improper Enforcement of a Single, Unique Action?

Upgrade org.keycloak:keycloak-services to version 24.0.3 or higher.

[,24.0.3)

Improper Authentication

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Authentication due to improper handling of session management during the re-authentication process. An attacker can hijack an active session by exploiting the flawed re-authentication mechanism.

How to fix Improper Authentication?

Upgrade org.keycloak:keycloak-services to version 22.0.10, 24.0.3 or higher.

[,22.0.10)[23.0.0,24.0.3)

Overly Restrictive Account Lockout Mechanism

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Overly Restrictive Account Lockout Mechanism due to a flaw in the account lockout mechanism. This issue may allow a remote unauthenticated attacker to prevent legitimate users from accessing their accounts by exploiting the account lockout functionality.

Note:

This is only exploitable if the realm is configured to use "User (Self) registration", the user registers with a username in email format, and the attacker discovers a valid email address for an account.

How to fix Overly Restrictive Account Lockout Mechanism?

Upgrade org.keycloak:keycloak-services to version 24.0.0 or higher.

[,24.0.0)

Always-Incorrect Control Flow Implementation

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation where an attacker is able to register himself with the username same as the email ID of any existing user. This may cause trouble in getting password recovery email in case the user forgets the password.

How to fix Always-Incorrect Control Flow Implementation?

Upgrade org.keycloak:keycloak-services to version 24.0.0 or higher.

[,24.0.0)

Improper Privilege Management

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Privilege Management via the admin REST API endpoints. An attacker with low privileges can perform actions reserved for administrators, potentially leading to data breaches or system compromise by exploiting administrative functionalities without proper authorization.

How to fix Improper Privilege Management?

Upgrade org.keycloak:keycloak-services to version 24.0.5 or higher.

[,24.0.5)

Insecure Storage of Sensitive Information

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Insecure Storage of Sensitive Information through PAR (Pushed authorization request) clients when using client_secret_post based authentication. This vulnerability derived from client-provided parameters that were included in plain text within the KC_RESTART cookie, which the authorization server returned in its HTTP response to a request_uri authorization request.

To exploit this vulnerability, an attacker needs to intercept the HTTP response from the authorization server, which might result in the disclosure of sensitive information.

Note

If you use OIDC confidential clients together with PAR and use client authentication based on client_id and client_secret sent as parameters in the HTTP request body (method client_secret_post specified in the OIDC specification), it is highly encouraged to rotate your clients' client secrets after upgrading to this version.

How to fix Insecure Storage of Sensitive Information?

Upgrade org.keycloak:keycloak-services to version 24.0.5 or higher.

[,24.0.5)

Cleartext Storage of Sensitive Information in a Cookie

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Cleartext Storage of Sensitive Information in a Cookie in the OAuth 2.0 Pushed Authorization Requests (PAR) through the KC_RESTART cookie. An attacker can access sensitive client-provided parameters by intercepting HTTP responses from the authorization server.

How to fix Cleartext Storage of Sensitive Information in a Cookie?

Upgrade org.keycloak:keycloak-services to version 24.0.5 or higher.

[7.0.0,24.0.5)

Improper Input Validation

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Input Validation due to improper handling of error messages during the WebAuthn authentication or registration process. An attacker can inject malicious content into the logs by sending crafted error messages from the browser client during setup or authentication.

How to fix Improper Input Validation?

Upgrade org.keycloak:keycloak-services to version 23.0.5 or higher.

[,23.0.5)

Origin Validation Error

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Origin Validation Error due to the checkLoginIframe process. An attacker can significantly impact the application's availability by sending millions of requests in seconds using simple code.

How to fix Origin Validation Error?

Upgrade org.keycloak:keycloak-services to version 24.0.3 or higher.

[,24.0.3)

Authentication Bypass

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Authentication Bypass due to improper enforcement of token types when validating signatures locally. An authenticated attacker could exchange a logout token for an access token and possibly gain access to data outside of enforced permissions.

How to fix Authentication Bypass?

Upgrade org.keycloak:keycloak-services to version 24.0.3 or higher.

[,24.0.3)

Open Redirect

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Open Redirect due to an issue in the redirect_uri validation logic. By exploiting this vulnerability an attacker is allowed to bypass otherwise explicitly allowed hosts.

How to fix Open Redirect?

Upgrade org.keycloak:keycloak-services to version 24.0.3 or higher.

[,24.0.3)

Cross-site Scripting (XSS)

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to including JavaScript URIs in the SAML Assertion Consumer Service POST Binding URL (ACS). An attacker can execute arbitrary scripts in the context of the embedding origin on form submission.

How to fix Cross-site Scripting (XSS)?

Upgrade org.keycloak:keycloak-services to version 24.0.3 or higher.

[,24.0.3)

Authorization Bypass Through User-Controlled Key

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key due to a permissive regular expression hardcoded for filtering allowed hosts to register a dynamic client. A unauthorized user with enough information about the environment could benefit and jeopardize an environment with this specific Dynamic Client Registration with TrustedDomain configuration.

How to fix Authorization Bypass Through User-Controlled Key?

Upgrade org.keycloak:keycloak-services to version 24.0.3 or higher.

[,24.0.3)

Missing Critical Step in Authentication

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Missing Critical Step in Authentication in the form of not sufficiently enforcing the second factor in multifactor authentication. A user can register a second factor for a known account, allowing step-up authentication.

How to fix Missing Critical Step in Authentication?

Upgrade org.keycloak:keycloak-services to version 22.0.10, 24.0.3 or higher.

[,22.0.10)[23.0.0,24.0.3)

Improper Authorization

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Authorization such that the verified state is not reset when the email changes. It is possible for users to shadow others with the same email and lockout or impersonate them.

How to fix Improper Authorization?

Upgrade org.keycloak:keycloak-services to version 22.0.1 or higher.

[,22.0.1)

Open Redirect

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Open Redirect due to improper validation of redirect URIs using the form_post.jwt response mode. An attacker can redirect a user to a malicious site and potentially steal authorization codes or tokens by exploiting the use of a wildcard in the JARM response.

How to fix Open Redirect?

Upgrade org.keycloak:keycloak-services to version 23.0.4 or higher.

[,23.0.4)

Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) via the OIDC redirect_uri function. An attacker can submit a specially crafted request leading to cross-site scripting or further attacks by appending a wildcard to the token.

How to fix Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)?

Upgrade org.keycloak:keycloak-services to version 22.0.7 or higher.

[,22.0.7)

LDAP Injection

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to LDAP Injection through the UsernameForm login process due to improper escape of LDAP ID. An attacker can access existing usernames in the server by exploiting an LDAP query.

How to fix LDAP Injection?

Upgrade org.keycloak:keycloak-services to version 23.0.1 or higher.

[,23.0.1)

Credential Exposure

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Credential Exposure. When a user registers with the registration flow, the password and password-confirm fields from the form are treated as regular attributes. All users and clients with proper rights/roles are able to retrieve the user's passwords in cleartext.

How to fix Credential Exposure?

Upgrade org.keycloak:keycloak-services to version 22.0.3 or higher.

[,22.0.3)

Improper Certificate Validation

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Certificate Validation for OAuth/OpenID clients. When a Keycloak server is configured to support mTLS authentication for OAuth/OpenID clients, it does not properly verify the client certificate chain. A client with a proper certificate can authorize itself as any other client and, therefore, access data belonging to other clients.

How to fix Improper Certificate Validation?

Upgrade org.keycloak:keycloak-services to version 21.1.2 or higher.

[,21.1.2)

Cross-site Scripting (XSS)

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper sanitization of URI-schemes on SAML and OIDC via the AssertionConsumerServiceURL implementation. Exploiting this vulnerability is possible by sending a crafted SAML XML request.

How to fix Cross-site Scripting (XSS)?

Upgrade org.keycloak:keycloak-services to version 21.1.2 or higher.

[,21.1.2)

Authentication Bypass by Spoofing

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Authentication Bypass by Spoofing within the Keycloak Device Authorisation Grant due to improper verification of the device code holder. Exploiting this vulnerability is possible under certain pre-conditions and it allows an attacker to spoof parts of the device flow and use a device_code to retrieve an access token for other OAuth clients.

How to fix Authentication Bypass by Spoofing?

Upgrade org.keycloak:keycloak-services to version 21.1.2 or higher.

[,21.1.2)

Insufficient Verification of Data Authenticity

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity such that Keycloak's OpenID Connect user authentication was found to incorrectly authenticate requests. An authenticated attacker who could also obtain a certain piece of info from a user request, from a victim within the same realm, can use that data to impersonate the victim and generate new session tokens.

How to fix Insufficient Verification of Data Authenticity?

Upgrade org.keycloak:keycloak-services to version 21.0.1 or higher.

[,21.0.1)

org.keycloak:keycloak-services@21.0.0 vulnerabilities

latest version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

How to fix?