Vulnerabilities > Keycloak
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-02-21 | CVE-2017-12161 | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Keycloak It was found that keycloak before 3.4.2 final would permit misuse of a client-side /etc/hosts entry to spoof a URL in a password reset request. | 8.8 |
| 2017-12-29 | CVE-2014-3651 | Resource Exhaustion vulnerability in Keycloak JBoss KeyCloak before 1.0.3.Final allows remote attackers to cause a denial of service (resource consumption) via a large value in the size parameter to auth/qrcode, related to QR code generation. | 7.5 |
| 2017-10-26 | CVE-2017-12159 | Insufficient Session Expiration vulnerability in multiple products It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. | 7.5 |
| 2017-10-26 | CVE-2017-12158 | Cross-site Scripting vulnerability in multiple products It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. | 5.4 |
| 2017-10-18 | CVE-2014-3709 | Cross-Site Request Forgery (CSRF) vulnerability in Keycloak The org.keycloak.services.resources.SocialResource.callback method in JBoss KeyCloak before 1.0.3.Final allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging lack of CSRF protection. | 8.8 |
| 2017-05-12 | CVE-2017-7474 | Unspecified vulnerability in Keycloak Keycloak-Nodejs-Auth-Utils It was found that the Keycloak Node.js adapter 2.5 - 3.0 did not handle invalid tokens correctly. | 9.8 |