Vulnerabilities > Redhat > Keycloak

DATE CVE VULNERABILITY TITLE RISK
2020-05-04 CVE-2020-10686 Unspecified vulnerability in Redhat Keycloak 8.0.2/9.0.0
A flaw was found in Keycloak version 8.0.2 and 9.0.0, and was fixed in Keycloak version 9.0.1, where a malicious user registers as oneself.
network
low complexity
redhat
4.7
2020-04-06 CVE-2020-1728 Improper Restriction of Rendered UI Layers or Frames vulnerability in multiple products
A vulnerability was found in all versions of Keycloak where, the pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses.
network
low complexity
redhat quarkus CWE-1021
5.4
2020-03-24 CVE-2020-1744 Improper Handling of Exceptional Conditions vulnerability in Redhat Keycloak
A flaw was found in keycloak before version 9.0.1.
network
high complexity
redhat CWE-755
5.6
2020-02-10 CVE-2020-1697 Cross-site Scripting vulnerability in Redhat Keycloak
It was found in all keycloak versions before 9.0.0 that links to external applications (Application Links) in the admin console are not validated properly and could allow Stored XSS attacks.
network
low complexity
redhat CWE-79
5.4
2020-01-08 CVE-2019-14820 Unspecified vulnerability in Redhat products
It was found that keycloak before version 8.0.0 exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be invoked via a specially-crafted URL.
network
low complexity
redhat
4.3
2020-01-07 CVE-2019-14837 Use of Hard-coded Credentials vulnerability in Redhat Keycloak
A flaw was found in keycloack before version 8.0.0.
network
low complexity
redhat CWE-798
critical
9.1
2019-12-15 CVE-2014-3652 Open Redirect vulnerability in Redhat Keycloak 1.0.1
JBoss KeyCloak: Open redirect vulnerability via failure to validate the redirect URL.
network
low complexity
redhat CWE-601
6.1
2019-12-05 CVE-2019-14910 Improper Certificate Validation vulnerability in Redhat Keycloak 7.0.0/7.0.1
A vulnerability was found in keycloak 7.x, when keycloak is configured with LDAP user federation and StartTLS is used instead of SSL/TLS from the LDAP server (ldaps), in this case user authentication succeeds even if invalid password has entered.
network
low complexity
redhat CWE-295
critical
9.8
2019-12-04 CVE-2019-14909 Improper Authentication vulnerability in Redhat Keycloak 7.0.0/7.0.1
A vulnerability was found in Keycloak 7.x where the user federation LDAP bind type is none (LDAP anonymous bind), any password, invalid or valid will be accepted.
network
low complexity
redhat CWE-287
8.3
2019-11-13 CVE-2014-3655 Cross-Site Request Forgery (CSRF) vulnerability in Redhat Jboss Enterprise web Server and Keycloak
JBoss KeyCloak is vulnerable to soft token deletion via CSRF
network
low complexity
redhat CWE-352
4.3