| CVE-2024-7341 |
|
High |
Sep 09, 2024 |
A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time,
more...
A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation.
less...
|
24.0.10, 24.0.9, 24.0.8, 22.0.13, 24.0.7, 22.0.12, 25.0.2, 24.0.6, 25.0.1, 25.0.0
|
| BDSA-2024-9788 |
|
Medium |
Dec 18, 2024 |
Keycloak is vulnerable to cleartext transmission of sensitive information due to a malfunction in the `KC_CACHE_EMBEDDED_MTLS_ENABLED` environment opti
more...
Keycloak is vulnerable to cleartext transmission of sensitive information due to a malfunction in the `KC_CACHE_EMBEDDED_MTLS_ENABLED` environment option. This could allow an attacker to read sensitive information from adjacent networks related to JGroups.
**Note: The authoring of this BDSA has been AI-assisted. The full technical details of the vulnerability have not been independently verified by the Black Duck Cybersecurity Research Center (CyRC).**
less...
|
|
| BDSA-2024-9052 |
|
Medium |
Nov 25, 2024 |
Keycloak is vulnerable to a denial of service (DoS) attack due to improper handling of proxy headers. This could allow an attacker to exploit costly DN
more...
Keycloak is vulnerable to a denial of service (DoS) attack due to improper handling of proxy headers. This could allow an attacker to exploit costly DNS resolution operations, tying up IO threads and potentially causing a denial of service.
**Note: The authoring of this BDSA has been AI-assisted. The full technical details of the vulnerability have not been independently verified by the Black Duck Cybersecurity Research Center (CyRC).**
less...
|
|
| BDSA-2024-9041 |
|
Medium |
Nov 25, 2024 |
A flaw was found in Keycloak. This issue occurs because sensitive runtime values, such as passwords, may be captured during the Keycloak build process
more...
A flaw was found in Keycloak. This issue occurs because sensitive runtime values, such as passwords, may be captured during the Keycloak build process and embedded as default values in bytecode, leading to unintended information disclosure. In Keycloak 26, sensitive data specified directly in environment variables during the build process is also stored as a default values, making it accessible during runtime. Indirect usage of environment variables for SPI options and Quarkus properties is also vulnerable due to unconditional expansion by PropertyMapper logic, capturing sensitive data as default values.
**Note: CVE details have been utilized in generating this advisory. The details of the vulnerability have not been independently verified by Black Duck CyRC.**
less...
|
|
| BDSA-2024-6549 |
|
Medium |
Sep 20, 2024 |
**A vulnerability has been reported in Keycloak with the following commentary:**
A flaw exists in the SAML signature validation method within the Key
more...
**A vulnerability has been reported in Keycloak with the following commentary:**
A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks.
**This vulnerability was published on the [GHSA Database](https://github.com/advisories/GHSA-4xx7-2cx3-x473) and has not been independently verified by [BlackDuck CyRC](https://www.synopsys.com/software-integrity/cybersecurity-research-center.html) Team.**
less...
|
|
| BDSA-2024-6548 |
|
Medium |
Sep 20, 2024 |
**A vulnerability has been reported in Keycloak with the following commentary:**
A misconfiguration flaw was found in Keycloak. This issue can allow
more...
**A vulnerability has been reported in Keycloak with the following commentary:**
A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking.
**This vulnerability was published on the [GHSA Database](https://github.com/advisories/GHSA-vvf8-2h68-9475) and has not been independently verified by [BlackDuck CyRC](https://www.synopsys.com/software-integrity/cybersecurity-research-center.html) Team.**
less...
|
|
| BDSA-2024-6182 |
|
Medium |
Sep 16, 2024 |
**A vulnerability has been reported in org.keycloak:keycloak-core with the following commentary:**
A denial of service vulnerability was found in key
more...
**A vulnerability has been reported in org.keycloak:keycloak-core with the following commentary:**
A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited,an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values.
**This vulnerability was published on the [GHSA Database](https://github.com/advisories/GHSA-w97f-w3hq-36g2) and has not been independently verified by [Synopsys CyRC](https://www.synopsys.com/software-integrity/cybersecurity-research-center.html) Team.**
less...
|
|
