Vulnerabilities > Keycloak > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-02-21 | CVE-2017-12161 | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Keycloak It was found that keycloak before 3.4.2 final would permit misuse of a client-side /etc/hosts entry to spoof a URL in a password reset request. | 8.8 |
| 2017-12-29 | CVE-2014-3651 | Resource Exhaustion vulnerability in Keycloak JBoss KeyCloak before 1.0.3.Final allows remote attackers to cause a denial of service (resource consumption) via a large value in the size parameter to auth/qrcode, related to QR code generation. | 7.5 |
| 2017-10-26 | CVE-2017-12159 | Insufficient Session Expiration vulnerability in multiple products It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. | 7.5 |
| 2017-10-18 | CVE-2014-3709 | Cross-Site Request Forgery (CSRF) vulnerability in Keycloak The org.keycloak.services.resources.SocialResource.callback method in JBoss KeyCloak before 1.0.3.Final allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging lack of CSRF protection. | 8.8 |