Все бюллетени/p10/ALT-PU-2025-13422-5
ALT-PU-2025-13422-5

Обновление пакета keycloak в ветке p10

Версия26.4.0-alt1
Задание#397391
Опубликовано2026-03-07
Макс. серьёзностьHIGH
Серьёзность:

Закрытые проблемы (60)

BDU:2024-08198
HIGH7.7

Уязвимость класса XMLSignatureUtil программного средства для управления идентификацией и доступом Keycloak, позволяющая нарушителю обойти существующие ограничения безопасности и повысить свои привилегии

Опубликовано: 2024-10-18Изменено: 2024-10-24
CVSS 3.xВЫСОКАЯ 7.7
CVSS:3.x/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L
CVSS 2.0СРЕДНЯЯ 6.1
CVSS:2.0/AV:N/AC:H/Au:S/C:C/I:P/A:P
Ссылки
BDU:2024-09422
HIGH7.5

Уязвимость компонента BinaryStreamDriver Java-библиотеки для преобразования объектов в XML или JSON формат XStream, позволяющая нарушителю выполнить атаку типа «отказ в обслуживании»

Опубликовано: 2024-11-14Изменено: 2025-08-26
CVSS 3.xВЫСОКАЯ 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0ВЫСОКАЯ 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
Ссылки
BDU:2024-10692
HIGH7.1

Уязвимость реализации протокола mTLS (mutual TLS) программного средства для управления идентификацией и доступом Keycloak, позволяющая нарушителю обойти ограничения безопасности и получить несанкционированный доступ к защищаемой информации

Опубликовано: 2024-12-04
CVSS 3.xВЫСОКАЯ 7.1
CVSS:3.x/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CVSS 2.0СРЕДНЯЯ 6.2
CVSS:2.0/AV:L/AC:L/Au:S/C:C/I:C/A:N
Ссылки
BDU:2024-10695
LOW2.7

Уязвимость программного средства для управления идентификацией и доступом Keycloak, связанная с некорректным внешним управлением именем или путем файла, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Опубликовано: 2024-12-04
CVSS 3.xНИЗКАЯ 2.7
CVSS:3.x/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
CVSS 2.0СРЕДНЯЯ 4.0
CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:N/A:N
Ссылки
BDU:2024-10706
MEDIUM5.9

Уязвимость программного средства для управления идентификацией и доступом Keycloak, связанная с использованием предустановленных учетных данных, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Опубликовано: 2024-12-04
CVSS 3.xСРЕДНЯЯ 5.9
CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 2.0СРЕДНЯЯ 5.4
CVSS:2.0/AV:N/AC:H/Au:N/C:C/I:N/A:N
Ссылки
BDU:2025-01357
MEDIUM5.5

Уязвимость конфигурации JDBC_PING программного обеспечения для хранения данных Infinispan, позволяющая нарушителю обойти ограничения безопасности и получить несанкционированный доступ к защищаемой информации

Опубликовано: 2025-02-11Изменено: 2025-08-13
CVSS 3.xСРЕДНЯЯ 5.5
CVSS:3.x/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS 2.0СРЕДНЯЯ 4.6
CVSS:2.0/AV:L/AC:L/Au:S/C:C/I:N/A:N
Ссылки
BDU:2025-02196
MEDIUM6.5

Уязвимость функции SearchQueryUtils программного средства для управления идентификацией и доступом Keycloak, позволяющая нарушителю вызвать отказ в обслуживании

Опубликовано: 2025-03-03
CVSS 3.xСРЕДНЯЯ 6.5
CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0СРЕДНЯЯ 6.8
CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:N/A:C
Ссылки
BDU:2025-02197
MEDIUM4.7

Уязвимость компонента Proxy Header Handler программного средства для управления идентификацией и доступом Keycloak, позволяющая нарушителю вызвать отказ в обслуживании

Опубликовано: 2025-03-03
CVSS 3.xСРЕДНЯЯ 4.7
CVSS:3.x/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0НИЗКАЯ 3.8
CVSS:2.0/AV:L/AC:H/Au:S/C:N/I:N/A:C
Ссылки
BDU:2025-08956
MEDIUM5.3

Уязвимость функции ClassUtils.getClass() библиотеки Apache Commons Lang для языка программирования Java, позволяющая нарушителю вызывать отказ в обслуживании

Опубликовано: 2025-07-24Изменено: 2026-04-20
CVSS 3.xСРЕДНЯЯ 5.3
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVSS 2.0СРЕДНЯЯ 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P
Ссылки
BDU:2025-12593
HIGH7.5

Уязвимость сетевого программного средства Netty, связанная с недостатками обработки HTTP-запросов, позволяющая нарушителю осуществлять атаки с подменой HTTP-запросов

Опубликовано: 2025-10-08Изменено: 2026-02-10
CVSS 3.xВЫСОКАЯ 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS 2.0ВЫСОКАЯ 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:C/A:N
Ссылки
BDU:2025-12594
HIGH7.5

Уязвимость сетевого программного средства Netty, связанная с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании

Опубликовано: 2025-10-08Изменено: 2026-03-11
CVSS 3.xВЫСОКАЯ 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0ВЫСОКАЯ 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
Ссылки
CVE-2021-44549
HIGH7.4

Apache Sling Commons Messaging Mail provides a simple layer on top of JavaMail/Jakarta Mail for OSGi to send mails via SMTPS. To reduce the risk of "man in the middle" attacks additional server identity checks must be performed when accessing mail servers. For compatibility reasons these additional checks are disabled by default in JavaMail/Jakarta Mail. The SimpleMailService in Apache Sling Commons Messaging Mail 1.0 lacks an option to enable these checks for the shared mail session. A user could enable these checks nevertheless by accessing the session via the message created by SimpleMessageBuilder and setting the property mail.smtps.ssl.checkserveridentity to true. Apache Sling Commons Messaging Mail 2.0 adds support for enabling server identity checks and these checks are enabled by default. - https://javaee.github.io/javamail/docs/SSLNOTES.txt - https://javaee.github.io/javamail/docs/api/com/sun/mail/smtp/package-summary.html - https://github.com/eclipse-ee4j/mail/issues/429

Опубликовано: 2021-12-14Изменено: 2024-11-21
CVSS 2.0СРЕДНЯЯ 5.8
CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSS 3.xВЫСОКАЯ 7.4
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Ссылки
CVE-2024-10270
MEDIUM6.5

A vulnerability was found in the Keycloak-services package. If untrusted data is passed to the SearchQueryUtils method, it could lead to a denial of service (DoS) scenario by exhausting system resources due to a Regex complexity.

Опубликовано: 2024-11-25Изменено: 2026-04-15
CVSS 3.xСРЕДНЯЯ 6.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Ссылки
CVE-2024-10451
MEDIUM5.9

A flaw was found in Keycloak. This issue occurs because sensitive runtime values, such as passwords, may be captured during the Keycloak build process and embedded as default values in bytecode, leading to unintended information disclosure. In Keycloak 26, sensitive data specified directly in environment variables during the build process is also stored as a default values, making it accessible during runtime. Indirect usage of environment variables for SPI options and Quarkus properties is also vulnerable due to unconditional expansion by PropertyMapper logic, capturing sensitive data as default values in all Keycloak versions up to 26.0.2.

Опубликовано: 2024-11-25Изменено: 2026-04-15
CVSS 3.xСРЕДНЯЯ 5.9
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Ссылки
CVE-2024-10492
LOW2.7

A vulnerability was found in Keycloak. A user with high privileges could read sensitive information from a Vault file that is not within the expected context. This attacker must have previous high access to the Keycloak server in order to perform resource creation, for example, an LDAP provider configuration and set up a Vault read file, which will only inform whether that file exists or not.

Опубликовано: 2024-11-25Изменено: 2026-04-15
CVSS 3.xНИЗКАЯ 2.7
CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Ссылки
CVE-2024-11734
MEDIUM6.5

A denial of service vulnerability was found in Keycloak that could allow an administrative user with the right to change realm settings to disrupt the service. This action is done by modifying any of the security headers and inserting newlines, which causes the Keycloak server to write to a request that has already been terminated, leading to the failure of said request.

Опубликовано: 2025-01-14Изменено: 2026-04-15
CVSS 3.xСРЕДНЯЯ 6.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Ссылки
CVE-2024-11736
MEDIUM4.9

A vulnerability was found in Keycloak. Admin users may have to access sensitive server environment variables and system properties through user-configurable URLs. When configuring backchannel logout URLs or admin URLs, admin users can include placeholders like ${env.VARNAME} or ${PROPNAME}. The server replaces these placeholders with the actual values of environment variables or system properties during URL processing.

Опубликовано: 2025-01-14Изменено: 2026-04-15
CVSS 3.xСРЕДНЯЯ 4.9
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Ссылки
CVE-2024-12397
HIGH7.4

A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity.

Опубликовано: 2024-12-12Изменено: 2026-04-15
CVSS 3.xВЫСОКАЯ 7.4
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Ссылки
CVE-2024-47072
HIGH7.5

XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream 1.4.21 has been patched to detect the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Users are advised to upgrade. Users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver.

Опубликовано: 2024-11-08Изменено: 2026-04-15
CVSS 3.xВЫСОКАЯ 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Ссылки
CVE-2024-7260
MEDIUM6.1

An open redirect vulnerability was found in Keycloak. A specially crafted URL can be constructed where the referrer and referrer_uri parameters are made to trick a user to visit a malicious webpage. A trusted URL can trick users and automation into believing that the URL is safe, when, in fact, it redirects to a malicious server. This issue can result in a victim inadvertently trusting the destination of the redirect, potentially leading to a successful phishing attack or other types of attacks. Once a crafted URL is made, it can be sent to a Keycloak admin via email for example. This will trigger this vulnerability when the user visits the page and clicks the link. A malicious actor can use this to target users they know are Keycloak admins for further attacks. It may also be possible to bypass other domain-related security checks, such as supplying this as a OAuth redirect uri. The malicious actor can further obfuscate the redirect_uri using URL encoding, to hide the text of the actual malicious website domain.

Опубликовано: 2024-09-09Изменено: 2024-10-01
CVSS 3.xСРЕДНЯЯ 6.1
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Ссылки
CVE-2024-7341
HIGH7.1

A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation.

Опубликовано: 2024-09-09Изменено: 2026-03-27
CVSS 3.xВЫСОКАЯ 7.1
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Ссылки
CVE-2024-8698
HIGH7.7

A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks.

Опубликовано: 2024-09-19Изменено: 2026-04-15
CVSS 3.xВЫСОКАЯ 7.7
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L
Ссылки
CVE-2024-8883
MEDIUM6.1

A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking.

Опубликовано: 2024-09-19Изменено: 2024-11-26
CVSS 3.xСРЕДНЯЯ 6.1
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Ссылки
CVE-2024-9666
MEDIUM4.7

A vulnerability was found in the Keycloak Server. The Keycloak Server is vulnerable to a denial of service (DoS) attack due to improper handling of proxy headers. When Keycloak is configured to accept incoming proxy headers, it may accept non-IP values, such as obfuscated identifiers, without proper validation. This issue can lead to costly DNS resolution operations, which an attacker could exploit to tie up IO threads and potentially cause a denial of service. The attacker must have access to send requests to a Keycloak instance that is configured to accept proxy headers, specifically when reverse proxies do not overwrite incoming headers, and Keycloak is configured to trust these headers.

Опубликовано: 2024-11-25Изменено: 2026-04-15
CVSS 3.xСРЕДНЯЯ 4.7
CVSS:3.x/CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Ссылки
CVE-2025-0736
MEDIUM5.5

A flaw was found in Infinispan, when using JGroups with JDBC_PING. This issue occurs when an application inadvertently exposes sensitive information, such as configuration details or credentials, through logging mechanisms. This exposure can lead to unauthorized access and exploitation by malicious actors.

Опубликовано: 2025-01-28Изменено: 2026-04-15
CVSS 3.xСРЕДНЯЯ 5.5
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Ссылки
CVE-2025-3501
HIGH8.2

A flaw was found in Keycloak. By setting a verification policy to 'ALL', the trust store certificate verification is skipped, which is unintended.

Опубликовано: 2025-04-29Изменено: 2026-04-15
CVSS 3.xВЫСОКАЯ 8.2
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Ссылки
CVE-2025-3910
MEDIUM5.4

A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumventing required actions, allowing users to circumvent requirements such as setting up two-factor authentication.

Опубликовано: 2025-04-29Изменено: 2025-08-18
CVSS 3.xСРЕДНЯЯ 5.4
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Ссылки
CVE-2025-48924
MEDIUM5.3

Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. Users are recommended to upgrade to version 3.18.0, which fixes the issue.

Опубликовано: 2025-07-11Изменено: 2025-11-04
CVSS 3.xСРЕДНЯЯ 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Ссылки
CVE-2025-49574
MEDIUM6.4

Quarkus is a Cloud Native, (Linux) Container First framework for writing Java applications. In versions prior to 3.24.1, 3.20.2, and 3.15.6, there is a potential data leak when duplicating a duplicated context. Quarkus extensively uses the Vert.x duplicated context to implement context propagation. With the new semantic data from one transaction can leak to the data from another transaction. From a Vert.x point of view, this new semantic clarifies the behavior. A significant amount of data is stored in the duplicated context, including request scope, security details, and metadata. Duplicating a duplicated context is rather rare and is only done in a few places. This issue has been patched in version 3.24.1, 3.20.2, and 3.15.6.

Опубликовано: 2025-06-23Изменено: 2026-04-15
CVSS 3.xСРЕДНЯЯ 6.4
CVSS:3.x/CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Ссылки
CVE-2025-5416
LOW2.7

A vulnerability has been identified in Keycloak that could lead to unauthorized information disclosure. While it requires an already authenticated user, the /admin/serverinfo endpoint can inadvertently provide sensitive environment information.

Опубликовано: 2025-06-20Изменено: 2025-08-13
CVSS 3.xНИЗКАЯ 2.7
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Ссылки
CVE-2025-58056
LOW2.9

Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a chunk-size line terminator, regardless of a preceding carriage return (CR), instead of requiring CRLF per HTTP/1.1 standards. When combined with reverse proxies that parse LF differently (treating it as part of the chunk extension), attackers can craft requests that the proxy sees as one request but Netty processes as two, enabling request smuggling attacks. This is fixed in versions 4.1.125.Final and 4.2.5.Final.

Опубликовано: 2025-09-03Изменено: 2025-09-08
CVSS 3.xВЫСОКАЯ 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS 4.0НИЗКАЯ 2.9
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Ссылки
CVE-2025-58057
MEDIUM6.9

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with specially crafted input, BrotliDecoder and certain other decompression decoders will allocate a large number of reachable byte buffers, which can lead to denial of service. BrotliDecoder.decompress has no limit in how often it calls pull, decompressing data 64K bytes at a time. The buffers are saved in the output list, and remain reachable until OOM is hit. This is fixed in versions 4.1.125.Final of netty-codec and 4.2.5.Final of netty-codec-compression.

Опубликовано: 2025-09-04Изменено: 2025-09-08
CVSS 3.xВЫСОКАЯ 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 4.0СРЕДНЯЯ 6.9
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Ссылки
CVE-2025-7365
HIGH7.1

A flaw was found in Keycloak. When an authenticated attacker attempts to merge accounts with another existing account during an identity provider (IdP) login, the attacker will subsequently be prompted to "review profile" information. This vulnerability allows the attacker to modify their email address to match that of a victim's account, triggering a verification email sent to the victim's email address. The attacker's email address is not present in the verification email content, making it a potential phishing opportunity. If the victim clicks the verification link, the attacker can gain access to the victim's account.

Опубликовано: 2025-07-10Изменено: 2026-01-08
CVSS 3.xВЫСОКАЯ 7.1
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Ссылки
CVE-2025-7962
MEDIUM6.0

In Jakarta Mail 2.0.2 it is possible to preform a SMTP Injection by utilizing the \r and \n UTF-8 characters to separate different messages.

Опубликовано: 2025-07-21Изменено: 2025-11-13
CVSS 3.xВЫСОКАЯ 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS 4.0СРЕДНЯЯ 6.0
CVSS:4.0/CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Ссылки
CVE-2026-0871
MEDIUM4.9

A flaw was found in Keycloak. An administrator with `manage-users` permission can bypass the "Only administrators can view" setting for unmanaged attributes, allowing them to modify these attributes. This improper access control can lead to unauthorized changes to user profiles, even when the system is configured to restrict such modifications.

Опубликовано: 2026-02-27Изменено: 2026-03-05
CVSS 3.xСРЕДНЯЯ 4.9
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Ссылки
GHSA-269m-c36j-r834
MEDIUM5.5

Infinispan vulnerable to Insertion of Sensitive Information into Log File

Опубликовано: 2025-01-28Изменено: 2025-03-12
CVSS 3.xСРЕДНЯЯ 5.5
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Ссылки
GHSA-5545-r4hg-rj4m
MEDIUM5.1

Keycloak Path Traversal Vulnerability Due to External Control of File Name or Path

Опубликовано: 2024-11-25
CVSS 3.xСРЕДНЯЯ 5.1
CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
CVSS 4.0СРЕДНЯЯ 5.1
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Ссылки
GHSA-5jfq-x6xp-7rw2
MEDIUM5.4

Keycloak vulnerable to two factor authentication bypass

Опубликовано: 2025-04-30Изменено: 2025-07-28
CVSS 3.xСРЕДНЯЯ 5.4
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Ссылки
GHSA-5rxp-2rhr-qwqv
HIGH7.1

Keycloak has session fixation in Elytron SAML adapters

Опубликовано: 2024-10-14Изменено: 2024-12-20
CVSS 3.xВЫСОКАЯ 7.1
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Ссылки
GHSA-9342-92gg-6v29
MEDIUM6.0

Jakarta Mail vulnerable to SMTP Injection

Опубликовано: 2025-07-21Изменено: 2026-04-16
CVSS 3.xСРЕДНЯЯ 6.0
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS 4.0СРЕДНЯЯ 6.0
CVSS:4.0/CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N
Ссылки
GHSA-9623-mj7j-p9v4
MEDIUM6.4

Quarkus potentially leaks data when duplicating a duplicated context

Опубликовано: 2025-06-23Изменено: 2025-12-22
CVSS 3.xСРЕДНЯЯ 6.4
CVSS:3.x/CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Ссылки
GHSA-c69w-jj56-834w
HIGH7.4

Improper Certificate Validation and Improper Validation of Certificate with Host Mismatch in Apache Sling Commons Messaging Mail

Опубликовано: 2021-12-16Изменено: 2022-01-04
CVSS 3.xВЫСОКАЯ 7.4
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Ссылки
GHSA-cxrx-q234-m22m
HIGH7.4

io.quarkus.http/quarkus-http-core: Quarkus HTTP Cookie Smuggling

Опубликовано: 2024-12-12Изменено: 2025-06-10
CVSS 3.xВЫСОКАЯ 7.4
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Ссылки
GHSA-f4v7-3mww-9gc2
MEDIUM4.9

Keycloak allows unrestricted admin use of system and environment variables

Опубликовано: 2025-01-13Изменено: 2025-01-14
CVSS 3.xСРЕДНЯЯ 4.9
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Ссылки
GHSA-fghv-69vj-qj49
NONE

Netty vulnerable to request smuggling due to incorrect parsing of chunk extensions

Опубликовано: 2025-09-04Изменено: 2025-09-10
Ссылки
GHSA-g4gc-rh26-m3p5
MEDIUM4.8

Keycloak Open Redirect vulnerability

Опубликовано: 2024-09-10Изменено: 2024-09-10
CVSS 3.xСРЕДНЯЯ 4.8
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
CVSS 4.0СРЕДНЯЯ 4.8
CVSS:4.0/CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Ссылки
GHSA-hfq9-hggm-c56q
HIGH7.7

XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream

Опубликовано: 2024-11-08Изменено: 2025-11-04
CVSS 3.xВЫСОКАЯ 7.7
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 4.0ВЫСОКАЯ 7.7
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P
Ссылки
GHSA-hw58-3793-42gg
HIGH8.2

Keycloak hostname verification

Опубликовано: 2025-04-30Изменено: 2025-08-07
CVSS 3.xВЫСОКАЯ 8.2
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Ссылки
GHSA-j288-q9x7-2f5v
MEDIUM6.5

Apache Commons Lang is vulnerable to Uncontrolled Recursion when processing long inputs

Опубликовано: 2025-07-11Изменено: 2025-11-05
CVSS 3.xСРЕДНЯЯ 6.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Ссылки
GHSA-jgwc-jh89-rpgq
MEDIUM5.7

Keycloak proxy header handling Denial-of-Service (DoS) vulnerability

Опубликовано: 2024-11-25
CVSS 3.xСРЕДНЯЯ 5.7
CVSS:3.x/CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
CVSS 4.0СРЕДНЯЯ 5.7
CVSS:4.0/CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Ссылки
GHSA-v4jw-m6rm-399h
MEDIUM4.9

Keycloak Server Private SPI: Improper Access Control Allows Administrators to Bypass Attribute Visibility Restrictions and Modify Unmanaged User Profile Attributes

Опубликовано: 2026-02-27Изменено: 2026-02-28
CVSS 3.xСРЕДНЯЯ 4.9
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Ссылки
GHSA-v7gv-xpgf-6395
HIGH8.2

Keycloak Build Process Exposes Sensitive Data

Опубликовано: 2024-11-25
CVSS 3.xВЫСОКАЯ 8.2
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0ВЫСОКАЯ 8.2
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Ссылки
GHSA-w3g8-r9gw-qrh8
MEDIUM6.5

Denial of Service in Keycloak Server via Security Headers

Опубликовано: 2025-01-13Изменено: 2025-01-14
CVSS 3.xСРЕДНЯЯ 6.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Ссылки
GHSA-w8gr-xwp4-r9f7
MEDIUM6.1

Keycloak has Vulnerable Redirect URI Validation Results in Open Redirect

Опубликовано: 2024-10-14Изменено: 2024-12-20
CVSS 3.xСРЕДНЯЯ 6.1
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Ссылки
GHSA-wq8x-cg39-8mrr
HIGH7.1

org.keycloak:keycloak-services has Inefficient Regular Expression Complexity

Опубликовано: 2024-11-25Изменено: 2024-11-25
CVSS 3.xВЫСОКАЯ 7.1
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVSS 4.0ВЫСОКАЯ 7.1
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Ссылки
GHSA-xgfv-xpx8-qhcr
HIGH7.7

Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak

Опубликовано: 2024-10-14Изменено: 2024-12-20
CVSS 3.xВЫСОКАЯ 7.7
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L
Ссылки
GHSA-xhpr-465j-7p9q
MEDIUM5.4

Keycloak phishing attack via email verification step in first login flow

Опубликовано: 2025-07-30
CVSS 3.xСРЕДНЯЯ 5.4
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N
Ссылки

Закрытые ошибки (1)

Ошибка #50434

Заменяется настроенный конфиг файл после обновления