Vulnerabilities > Redhat > Keycloak > High

DATE CVE VULNERABILITY TITLE RISK
2022-01-25 CVE-2021-4133 Incorrect Authorization vulnerability in Redhat Keycloak
A flaw was found in Keycloak in versions from 12.0.0 and before 15.1.1 which allows an attacker with any existing user account to create new default user accounts via the administrative REST API even when new user registration is disabled.
network
low complexity
redhat CWE-863
8.8
2021-07-09 CVE-2021-3637 Unspecified vulnerability in Redhat Keycloak and Single Sign-On
A flaw was found in keycloak-model-infinispan in keycloak versions before 14.0.0 where authenticationSessions map in RootAuthenticationSessionEntity grows boundlessly which could lead to a DoS attack.
network
low complexity
redhat
7.5
2021-05-12 CVE-2021-20202 Unspecified vulnerability in Redhat Keycloak
A flaw was found in keycloak.
local
low complexity
redhat
7.3
2021-03-23 CVE-2021-20222 Cross-site Scripting vulnerability in Redhat Keycloak
A flaw was found in keycloak.
network
high complexity
redhat CWE-79
7.5
2020-11-17 CVE-2020-14389 Use of Password Hash With Insufficient Computational Effort vulnerability in Redhat Keycloak
It was found that Keycloak before version 12.0.0 would permit a user with only view-profile role to manage the resources in the new account console, allowing access and modification of data the user was not intended to have.
network
low complexity
redhat CWE-916
8.1
2020-11-09 CVE-2020-14366 Path Traversal vulnerability in Redhat Keycloak
A vulnerability was found in keycloak, where path traversal using URL-encoded path segments in the request is possible because the resources endpoint applies a transformation of the url path to the file path.
network
low complexity
redhat CWE-22
7.5
2020-09-16 CVE-2020-10758 Allocation of Resources Without Limits or Throttling vulnerability in Redhat products
A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the specified keycloak server, all with a Content-Length header value that exceeds the actual byte count of the request body.
network
low complexity
redhat CWE-770
7.5
2020-05-13 CVE-2020-1714 Improper Input Validation vulnerability in multiple products
A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks.
network
low complexity
redhat quarkus CWE-20
8.8
2020-05-12 CVE-2020-1718 Improper Authentication vulnerability in Redhat Keycloak
A flaw was found in the reset credential flow in all Keycloak versions before 8.0.0.
network
low complexity
redhat CWE-287
8.8
2020-05-08 CVE-2019-10170 Unspecified vulnerability in Redhat Keycloak
A flaw was found in the Keycloak admin console, where the realm management interface permits a script to be set via the policy.
network
low complexity
redhat
7.2