Zeitnah aktualisieren
Derived automatically from release, repo and CVE data — no judgment by a language model.
Keycloak has a vulnerability in its brute force protection where attackers can make more password guessing attempts than configured limits by launching parallel login attempts, making user accounts easier to compromise.
In Keycloak, users with email-like usernames can be locked out by other users when self-registration is enabled in the realm.
Keycloak allows using email addresses as usernames without checking if an account with that email already exists, which can prevent users from logging in or resetting their passwords.
A vulnerability in Keycloak allows administrators to modify LDAP connection settings and redirect configured credentials to a server they control, potentially exposing domain authentication credentials to attackers.
Keycloak's SAML adapters fail to properly change session IDs during login, allowing attackers to hijack existing sessions and impersonate legitimate users after authentication.
A misconfiguration in Keycloak allows attackers to redirect users to arbitrary websites when localhost URLs are configured as valid redirect addresses. This can lead to theft of authorization codes and hijacking of user sessions.
A vulnerability in Keycloak's SAML signature validation allows attackers to create forged authentication responses that bypass security checks, potentially leading to privilege escalation or identity impersonation attacks.
In Keycloak, an expired one-time passcode remains valid twice as long as intended when using FreeOTP, giving attackers a larger time window to compromise accounts.
Keycloak accidentally stores sensitive data like passwords in bytecode during the build process, making this information accessible at runtime and potentially exposing confidential data.
A vulnerability in Keycloak allows attackers to crash the server through complex regular expressions when untrusted data is processed, causing denial of service.
A vulnerability in Keycloak allows privileged users to read sensitive information from Vault files outside the intended context. Attackers need existing high-level access rights to the Keycloak server.
Keycloak version 26 and earlier can be subjected to denial-of-service attacks through manipulated proxy headers that cause the system to perform costly DNS operations, potentially blocking the service.
A vulnerability in Keycloak allows attackers on the local network to impersonate any user or client when mTLS authentication is used through a reverse proxy without pass-through TLS termination.
A vulnerability in Keycloak allows administrators with realm settings permissions to crash the service by inserting newlines into security headers, preventing users from accessing applications that rely on Keycloak for authentication.
Keycloak administrators can access confidential server environment variables and system properties by using special placeholders in configurable URLs, potentially exposing sensitive information.
In Keycloak, a configuration option for encrypted communication between servers doesn't work properly, causing data transmission to occur unencrypted instead of being secured as intended.
Keycloak fails to properly verify Active Directory account status after password resets, potentially allowing users with expired or disabled accounts to still authenticate successfully.
Keycloak incorrectly assigns users to organizations based only on email or username patterns. This can allow attackers to impersonate organization members when self-registration is enabled.
Keycloak incorrectly skips certificate verification when a specific verification policy is set to 'ALL', potentially allowing insecure connections to be established.
A vulnerability in Keycloak allows users to bypass required security measures such as setting up two-factor authentication.
In Keycloak, attackers can change their email address to a victim's during first login via Identity Provider, causing a verification email to be sent to the victim that grants account access if clicked.
A vulnerability in Keycloak allows administrators with limited privileges to grant themselves higher permissions, thereby gaining full access to system configuration and user data.
Keycloak users can send unwanted emails through the server by using special characters during email registration, which could serve as a starting point for further attacks.
A vulnerability in Keycloak's user console allows attackers to inject fake error messages through URL parameters that are then displayed in the trusted user interface, enabling phishing attacks to deceive users.
A vulnerability in Keycloak allows attackers to inject malicious code into realm import documents by exploiting the placeholder substitution feature. This can lead to unintended consequences within the Keycloak environment.
Keycloak servers can be overwhelmed by repeated TLS connection requests from attackers due to a Java default setting that allows harmful renegotiations. This can crash the service without attackers needing to authenticate themselves.
A vulnerability in Keycloak allows attackers to access the admin area through manipulated paths, even when it should be protected by a proxy configuration.
Keycloak server in debug mode binds the debug port to all network interfaces, allowing attackers on the local network to achieve remote code execution.
A vulnerability in Keycloak's LDAP user federation allows authenticated administrators to trigger unsafe Java object deserialization through malicious LDAP server configurations, potentially leading to code execution.
A security flaw in Keycloak allows attackers to impersonate arbitrary users by sending manipulated SAML messages with encrypted assertions, leading to unauthorized access and potential data exposure.