org.keycloak:keycloak-services 24.0.3 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.keycloak:keycloak-services package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Allocation of Resources Without Limits or Throttling org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when caching JWT tokens, which are not limited in their expiration time. An attacker can cause the consumption of excessive memory by sending malicious JWT tokens. How to fix Allocation of Resources Without Limits or Throttling? There is no fixed version for `org.keycloak:keycloak-services`.	[0,)
M Incorrect User Management org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Incorrect User Management in `oidc/OrganizationMembershipMapper.java`, which relies on matching the domain of a user's email address to map them to an organization. A user can make an unauthorized token claim including association with an organization that they are not actually mapped to. If self-registration is enabled and unrestricted, this is easier to exploit. How to fix Incorrect User Management? Upgrade `org.keycloak:keycloak-services` to version 26.1.3 or higher.	[,26.1.3)
M Exposure of Sensitive Information Through Environmental Variables org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Exposure of Sensitive Information Through Environmental Variables through user-configurable URLs. Exploiting this vulnerability is possible with the configuration of backchannel logout URLs or admin URLs, when including placeholders like `${env.VARNAME}` or `${PROPNAME}`, which are replaced with actual values during URL processing. An attacker can access sensitive server environment variables and system properties. How to fix Exposure of Sensitive Information Through Environmental Variables? Upgrade `org.keycloak:keycloak-services` to version 26.0.8 or higher.	[,26.0.8)
M Denial of Service (DoS) org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Denial of Service (DoS) by modification of security headers and inserting newlines. An attacker can cause the server to process a terminated request, leading to service failure. Note: This is only exploitable if the attacker can change realm settings. How to fix Denial of Service (DoS)? Upgrade `org.keycloak:keycloak-services` to version 26.0.8 or higher.	[,26.0.8)
M External Control of File Name or Path org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to External Control of File Name or Path. An attacker could read sensitive information from a Vault file that is not within the expected context by exploiting this vulnerability. Note: This is only exploitable if the attacker has previous high access to the Keycloak server in order to perform resource creation. How to fix External Control of File Name or Path? Upgrade `org.keycloak:keycloak-services` to version 26.0.6 or higher.	[,26.0.6)
H Regular Expression Denial of Service (ReDoS) org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the `SearchQueryUtils` method due to improper input sanitization. An attacker could exhaust system resources and achieve denial of service by exploiting this vulnerability. How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `org.keycloak:keycloak-services` to version 26.0.6 or higher.	[,26.0.6)
M HTTP Request Smuggling org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to HTTP Request Smuggling due to improper handling of proxy headers resulting in costly DNS resolution operations. An attacker could tie up IO threads and potentially cause a denial of service by exploiting these operations. Notes: This is only exploitable if the attacker has access to send requests to a Keycloak instance that is configured to accept proxy headers, specifically when reverse proxies do not overwrite incoming headers, and Keycloak is configured to trust these headers. For versions 26.x, this is only exploitable if the realm must have `SslRequired=EXTERNAL` (the default), HTTP must be enabled, the instance must not be using a full hostname URL, access must come from behind a proxy (assuming the proxy overwrites the `X-Forwarded-For` header), and trusted proxies must not be set or must incorrectly trust the client from which the request is originating. How to fix HTTP Request Smuggling? Upgrade `org.keycloak:keycloak-services` to version 26.0.6 or higher.	[,26.0.6)
M Open Redirect org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Open Redirect due to a misconfiguration flaw in the validation of redirect URIs. An attacker can redirect users to an arbitrary URL and potentially expose sensitive information such as authorization codes, leading to session hijacking. Exploiting this vulnerability is possible if a `Valid Redirect URI` is set to `http://localhost/` or `http://127.0.0.1/`. How to fix Open Redirect? Upgrade `org.keycloak:keycloak-services` to version 22.0.13, 24.0.8, 25.0.6 or higher.	[,22.0.13)[24.0.0,24.0.8)[25.0.0,25.0.6)
H URL Redirection to Untrusted Site ('Open Redirect') org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to URL Redirection to Untrusted Site ('Open Redirect') due to a misconfiguration flaw in the validation of redirect URIs. An attacker can redirect users to an arbitrary URL and potentially expose sensitive information such as authorization codes, leading to session hijacking. Note: This is only exploitable if a 'Valid Redirect URI' is set to `http://localhost` or `http://127.0.0.1`. How to fix URL Redirection to Untrusted Site ('Open Redirect')? Upgrade `org.keycloak:keycloak-services` to version 22.0.13, 24.0.8, 25.0.6 or higher.	[,22.0.13)[23.0.0,24.0.8)[25.0.0,25.0.6)
M Open Redirect org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Open Redirect via the `referrer` and `referrer_uri` parameters. This allows an attacker who can convince an admin user to follow a malicious link - which may be further obfuscated by means such as URL encoding - to be redirected to a malicious location. How to fix Open Redirect? Upgrade `org.keycloak:keycloak-services` to version 25.0.0 or higher.	[,25.0.0)
H Improper Privilege Management org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Privilege Management via the admin REST API endpoints. An attacker with low privileges can perform actions reserved for administrators, potentially leading to data breaches or system compromise by exploiting administrative functionalities without proper authorization. How to fix Improper Privilege Management? Upgrade `org.keycloak:keycloak-services` to version 24.0.5 or higher.	[,24.0.5)
M Insecure Storage of Sensitive Information org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Insecure Storage of Sensitive Information through PAR (Pushed authorization request) clients when using `client_secret_post` based authentication. This vulnerability derived from client-provided parameters that were included in plain text within the `KC_RESTART` cookie, which the authorization server returned in its HTTP response to a `request_uri` authorization request. To exploit this vulnerability, an attacker needs to intercept the HTTP response from the authorization server, which might result in the disclosure of sensitive information. Note If you use OIDC confidential clients together with PAR and use client authentication based on `client_id` and `client_secret` sent as parameters in the HTTP request body (method `client_secret_post` specified in the OIDC specification), it is highly encouraged to rotate your clients' client secrets after upgrading to this version. How to fix Insecure Storage of Sensitive Information? Upgrade `org.keycloak:keycloak-services` to version 24.0.5 or higher.	[,24.0.5)
M Cleartext Storage of Sensitive Information in a Cookie org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Cleartext Storage of Sensitive Information in a Cookie in the OAuth 2.0 Pushed Authorization Requests (PAR) through the `KC_RESTART` cookie. An attacker can access sensitive client-provided parameters by intercepting HTTP responses from the authorization server. How to fix Cleartext Storage of Sensitive Information in a Cookie? Upgrade `org.keycloak:keycloak-services` to version 24.0.5 or higher.	[7.0.0,24.0.5)

Vulnerability

Vulnerable Version

Allocation of Resources Without Limits or Throttling

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when caching JWT tokens, which are not limited in their expiration time. An attacker can cause the consumption of excessive memory by sending malicious JWT tokens.

How to fix Allocation of Resources Without Limits or Throttling?

There is no fixed version for org.keycloak:keycloak-services.

[0,)

Incorrect User Management

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Incorrect User Management in oidc/OrganizationMembershipMapper.java, which relies on matching the domain of a user's email address to map them to an organization. A user can make an unauthorized token claim including association with an organization that they are not actually mapped to. If self-registration is enabled and unrestricted, this is easier to exploit.

How to fix Incorrect User Management?

Upgrade org.keycloak:keycloak-services to version 26.1.3 or higher.

[,26.1.3)

Exposure of Sensitive Information Through Environmental Variables

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Exposure of Sensitive Information Through Environmental Variables through user-configurable URLs.

Exploiting this vulnerability is possible with the configuration of backchannel logout URLs or admin URLs, when including placeholders like ${env.VARNAME} or ${PROPNAME}, which are replaced with actual values during URL processing. An attacker can access sensitive server environment variables and system properties.

How to fix Exposure of Sensitive Information Through Environmental Variables?

Upgrade org.keycloak:keycloak-services to version 26.0.8 or higher.

[,26.0.8)

Denial of Service (DoS)

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Denial of Service (DoS) by modification of security headers and inserting newlines. An attacker can cause the server to process a terminated request, leading to service failure.

Note: This is only exploitable if the attacker can change realm settings.

How to fix Denial of Service (DoS)?

Upgrade org.keycloak:keycloak-services to version 26.0.8 or higher.

[,26.0.8)

External Control of File Name or Path

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to External Control of File Name or Path. An attacker could read sensitive information from a Vault file that is not within the expected context by exploiting this vulnerability.

Note:

This is only exploitable if the attacker has previous high access to the Keycloak server in order to perform resource creation.

How to fix External Control of File Name or Path?

Upgrade org.keycloak:keycloak-services to version 26.0.6 or higher.

[,26.0.6)

Regular Expression Denial of Service (ReDoS)

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the SearchQueryUtils method due to improper input sanitization. An attacker could exhaust system resources and achieve denial of service by exploiting this vulnerability.

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade org.keycloak:keycloak-services to version 26.0.6 or higher.

[,26.0.6)

HTTP Request Smuggling

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to HTTP Request Smuggling due to improper handling of proxy headers resulting in costly DNS resolution operations. An attacker could tie up IO threads and potentially cause a denial of service by exploiting these operations.

Notes:

This is only exploitable if the attacker has access to send requests to a Keycloak instance that is configured to accept proxy headers, specifically when reverse proxies do not overwrite incoming headers, and Keycloak is configured to trust these headers.
For versions 26.x, this is only exploitable if the realm must have SslRequired=EXTERNAL (the default), HTTP must be enabled, the instance must not be using a full hostname URL, access must come from behind a proxy (assuming the proxy overwrites the X-Forwarded-For header), and trusted proxies must not be set or must incorrectly trust the client from which the request is originating.

How to fix HTTP Request Smuggling?

Upgrade org.keycloak:keycloak-services to version 26.0.6 or higher.

[,26.0.6)

Open Redirect

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Open Redirect due to a misconfiguration flaw in the validation of redirect URIs. An attacker can redirect users to an arbitrary URL and potentially expose sensitive information such as authorization codes, leading to session hijacking. Exploiting this vulnerability is possible if a Valid Redirect URI is set to http://localhost/ or http://127.0.0.1/.

How to fix Open Redirect?

Upgrade org.keycloak:keycloak-services to version 22.0.13, 24.0.8, 25.0.6 or higher.

[,22.0.13)[24.0.0,24.0.8)[25.0.0,25.0.6)

URL Redirection to Untrusted Site ('Open Redirect')

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to URL Redirection to Untrusted Site ('Open Redirect') due to a misconfiguration flaw in the validation of redirect URIs. An attacker can redirect users to an arbitrary URL and potentially expose sensitive information such as authorization codes, leading to session hijacking.

Note: This is only exploitable if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1.

How to fix URL Redirection to Untrusted Site ('Open Redirect')?

Upgrade org.keycloak:keycloak-services to version 22.0.13, 24.0.8, 25.0.6 or higher.

[,22.0.13)[23.0.0,24.0.8)[25.0.0,25.0.6)

Open Redirect

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Open Redirect via the referrer and referrer_uri parameters. This allows an attacker who can convince an admin user to follow a malicious link - which may be further obfuscated by means such as URL encoding - to be redirected to a malicious location.

How to fix Open Redirect?

Upgrade org.keycloak:keycloak-services to version 25.0.0 or higher.

[,25.0.0)

Improper Privilege Management

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Privilege Management via the admin REST API endpoints. An attacker with low privileges can perform actions reserved for administrators, potentially leading to data breaches or system compromise by exploiting administrative functionalities without proper authorization.

How to fix Improper Privilege Management?

Upgrade org.keycloak:keycloak-services to version 24.0.5 or higher.

[,24.0.5)

Insecure Storage of Sensitive Information

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Insecure Storage of Sensitive Information through PAR (Pushed authorization request) clients when using client_secret_post based authentication. This vulnerability derived from client-provided parameters that were included in plain text within the KC_RESTART cookie, which the authorization server returned in its HTTP response to a request_uri authorization request.

To exploit this vulnerability, an attacker needs to intercept the HTTP response from the authorization server, which might result in the disclosure of sensitive information.

Note

If you use OIDC confidential clients together with PAR and use client authentication based on client_id and client_secret sent as parameters in the HTTP request body (method client_secret_post specified in the OIDC specification), it is highly encouraged to rotate your clients' client secrets after upgrading to this version.

How to fix Insecure Storage of Sensitive Information?

Upgrade org.keycloak:keycloak-services to version 24.0.5 or higher.

[,24.0.5)

Cleartext Storage of Sensitive Information in a Cookie

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Cleartext Storage of Sensitive Information in a Cookie in the OAuth 2.0 Pushed Authorization Requests (PAR) through the KC_RESTART cookie. An attacker can access sensitive client-provided parameters by intercepting HTTP responses from the authorization server.

How to fix Cleartext Storage of Sensitive Information in a Cookie?

Upgrade org.keycloak:keycloak-services to version 24.0.5 or higher.

[7.0.0,24.0.5)

org.keycloak:keycloak-services@24.0.3 vulnerabilities

latest version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

How to fix?