Vulnerabilities > Redhat > Keycloak > 9.0.2
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-12-15 | CVE-2020-14302 | Authentication Bypass by Capture-replay vulnerability in Redhat Keycloak A flaw was found in Keycloak before 13.0.0 where an external identity provider, after successful authentication, redirects to a Keycloak endpoint that accepts multiple invocations with the use of the same "state" parameter. | 4.0 |
| 2020-12-15 | CVE-2020-10770 | Server-Side Request Forgery (SSRF) vulnerability in Redhat Keycloak A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. | 5.3 |
| 2020-11-17 | CVE-2020-14389 | Use of Password Hash With Insufficient Computational Effort vulnerability in Redhat Keycloak It was found that Keycloak before version 12.0.0 would permit a user with only view-profile role to manage the resources in the new account console, allowing access and modification of data the user was not intended to have. | 8.1 |
| 2020-11-17 | CVE-2020-10776 | Cross-site Scripting vulnerability in Redhat Keycloak A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. | 3.5 |
| 2020-11-09 | CVE-2020-14366 | Path Traversal vulnerability in Redhat Keycloak A vulnerability was found in keycloak, where path traversal using URL-encoded path segments in the request is possible because the resources endpoint applies a transformation of the url path to the file path. | 7.5 |
| 2020-09-16 | CVE-2020-1694 | Incorrect Permission Assignment for Critical Resource vulnerability in Redhat Keycloak A flaw was found in all versions of Keycloak before 10.0.0, where the NodeJS adapter did not support the verify-token-audience. | 4.0 |
| 2020-09-16 | CVE-2020-10758 | Allocation of Resources Without Limits or Throttling vulnerability in Redhat Keycloak A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the specified keycloak server, all with a Content-Length header value that exceeds the actual byte count of the request body. | 5.0 |
| 2020-05-15 | CVE-2020-1758 | Improper Certificate Validation vulnerability in Redhat Keycloak A flaw was found in Keycloak in versions before 10.0.0, where it does not perform the TLS hostname verification while sending emails using the SMTP server. | 5.9 |
| 2020-05-13 | CVE-2020-1714 | Improper Input Validation vulnerability in multiple products A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. | 6.5 |
| 2020-04-06 | CVE-2020-1728 | Improper Restriction of Rendered UI Layers or Frames vulnerability in multiple products A vulnerability was found in all versions of Keycloak where, the pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses. | 5.4 |