Approved changes feed: RSS · Atom
cpe:2.3:a:[unknown]:keycloak:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | [Unknown] (5b07108a-8f0c-5d28-ab99-c4ff62adb460) |
|---|---|
| Product | Keycloak (b13dba45-073e-53fb-8047-8e4f0a7dbce1) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2020-1728 |
vulnerable | 2026-06-03 14:41:58.525183 |
Details available
MEDIUM (4.8)
A vulnerability was found in all versions of Keycloak where, the pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses. This does not directly lead to a security issue, yet it might aid attackers in their efforts to exploit other problems. The flaws unnecessarily make the servers more prone to Clickjacking, channel downgrade attacks and other similar client-based attack vectors.
Published: 2020-04-06T13:04:23.000Z
Updated: 2024-08-04T06:46:30.949Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-1727 |
vulnerable | 2026-06-03 14:41:58.524722 |
Details available
MEDIUM (6.4)
A vulnerability was found in Keycloak before 9.0.2, where every Authorization URL that points to an IDP server lacks proper input validation as it allows a wide range of characters. This flaw allows a malicious to craft deep links that introduce further attack scenarios on affected clients.
Published: 2020-06-22T17:46:54.000Z
Updated: 2024-08-04T06:46:30.851Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-10170 |
vulnerable | 2026-06-03 14:39:21.574098 |
Details available
MEDIUM (6.6)
A flaw was found in the Keycloak admin console, where the realm management interface permits a script to be set via the policy. This flaw allows an attacker with authenticated user and realm management permissions to configure a malicious script to trigger and execute arbitrary code with the permissions of the application user.
Published: 2020-05-08T13:47:37.000Z
Updated: 2024-08-04T22:10:09.965Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-10169 |
vulnerable | 2026-06-03 14:39:21.573655 |
Details available
MEDIUM (6.6)
A flaw was found in Keycloak’s user-managed access interface, where it would permit a script to be set in the UMA policy. This flaw allows an authenticated attacker with UMA permissions to configure a malicious script to trigger and execute arbitrary code with the permissions of the user running application.
Published: 2020-05-08T13:47:00.000Z
Updated: 2024-08-04T22:10:10.032Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-14637 |
vulnerable | 2026-06-03 14:38:12.327924 |
Details available
MEDIUM (6.1)
The SAML broker consumer endpoint in Keycloak before version 4.6.0.Final ignores expiration conditions on SAML assertions. An attacker can exploit this vulnerability to perform a replay attack.
Published: 2018-11-30T13:00:00.000Z
Updated: 2024-08-05T09:38:12.558Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-10912 |
vulnerable | 2026-06-03 14:38:00.428907 |
Details available
MEDIUM (4.4)
keycloak before version 4.0.0.final is vulnerable to a infinite loop in session replacement. A Keycloak cluster with multiple nodes could mishandle an expired session replacement and lead to an infinite loop. A malicious authenticated user could use this flaw to achieve Denial of Service on the server.
Published: 2018-07-23T22:00:00.000Z
Updated: 2024-08-05T07:54:36.292Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.