Vulnerabilities > Redhat > Keycloak
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-01-13 | CVE-2023-0105 | Improper Authentication vulnerability in Redhat Keycloak A flaw was found in Keycloak. | 6.5 |
| 2022-08-26 | CVE-2021-3632 | Improper Authentication vulnerability in Redhat Keycloak and Single Sign-On A flaw was found in Keycloak. | 7.5 |
| 2022-08-26 | CVE-2021-3856 | Path Traversal vulnerability in Redhat Keycloak ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader. | 4.3 |
| 2022-08-23 | CVE-2020-35509 | Improper Certificate Validation vulnerability in Redhat Keycloak 11.0.3/12.0.0 A flaw was found in keycloak affecting versions 11.0.3 and 12.0.0. | 5.4 |
| 2022-08-23 | CVE-2021-3827 | Improper Authentication vulnerability in Redhat Keycloak and Single Sign-On A flaw was found in keycloak, where the default ECP binding flow allows other authentication flows to be bypassed. | 6.8 |
| 2022-07-08 | CVE-2022-1245 | Authorization Bypass Through User-Controlled Key vulnerability in Redhat Keycloak A privilege escalation flaw was found in the token exchange feature of keycloak. | 9.8 |
| 2022-04-26 | CVE-2022-1466 | Incorrect Authorization vulnerability in Redhat Keycloak Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. | 4.0 |
| 2022-04-01 | CVE-2021-3461 | Insufficient Session Expiration vulnerability in Redhat Keycloak and Single Sign-On A flaw was found in keycloak where keycloak may fail to logout user session if the logout request comes from external SAML identity provider and Principal Type is set to Attribute [Name]. | 3.3 |
| 2022-03-25 | CVE-2021-20323 | Cross-site Scripting vulnerability in Redhat Keycloak A POST based reflected Cross Site Scripting vulnerability on has been identified in Keycloak. | 4.3 |
| 2022-01-25 | CVE-2021-4133 | Incorrect Authorization vulnerability in Redhat Keycloak A flaw was found in Keycloak in versions from 12.0.0 and before 15.1.1 which allows an attacker with any existing user account to create new default user accounts via the administrative REST API even when new user registration is disabled. | 6.5 |