Все бюллетени/sisyphus/ALT-PU-2025-2840-8
ALT-PU-2025-2840-8

Обновление пакета keycloak в ветке sisyphus

Версия26.1.2-alt1
Задание#374709
Опубликовано2026-02-05
Макс. серьёзностьHIGH
Серьёзность:

Закрытые проблемы (30)

BDU:2024-08198
HIGH7.7

Уязвимость класса XMLSignatureUtil программного средства для управления идентификацией и доступом Keycloak, позволяющая нарушителю обойти существующие ограничения безопасности и повысить свои привилегии

Опубликовано: 2024-10-18Изменено: 2024-10-24
CVSS 3.xВЫСОКАЯ 7.7
CVSS:3.x/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L
CVSS 2.0СРЕДНЯЯ 6.1
CVSS:2.0/AV:N/AC:H/Au:S/C:C/I:P/A:P
Ссылки
BDU:2024-10692
HIGH7.1

Уязвимость реализации протокола mTLS (mutual TLS) программного средства для управления идентификацией и доступом Keycloak, позволяющая нарушителю обойти ограничения безопасности и получить несанкционированный доступ к защищаемой информации

Опубликовано: 2024-12-04
CVSS 3.xВЫСОКАЯ 7.1
CVSS:3.x/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CVSS 2.0СРЕДНЯЯ 6.2
CVSS:2.0/AV:L/AC:L/Au:S/C:C/I:C/A:N
Ссылки
BDU:2024-10695
LOW2.7

Уязвимость программного средства для управления идентификацией и доступом Keycloak, связанная с некорректным внешним управлением именем или путем файла, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Опубликовано: 2024-12-04
CVSS 3.xНИЗКАЯ 2.7
CVSS:3.x/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
CVSS 2.0СРЕДНЯЯ 4.0
CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:N/A:N
Ссылки
BDU:2024-10706
MEDIUM5.9

Уязвимость программного средства для управления идентификацией и доступом Keycloak, связанная с использованием предустановленных учетных данных, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Опубликовано: 2024-12-04
CVSS 3.xСРЕДНЯЯ 5.9
CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 2.0СРЕДНЯЯ 5.4
CVSS:2.0/AV:N/AC:H/Au:N/C:C/I:N/A:N
Ссылки
BDU:2025-02196
MEDIUM6.5

Уязвимость функции SearchQueryUtils программного средства для управления идентификацией и доступом Keycloak, позволяющая нарушителю вызвать отказ в обслуживании

Опубликовано: 2025-03-03
CVSS 3.xСРЕДНЯЯ 6.5
CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0СРЕДНЯЯ 6.8
CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:N/A:C
Ссылки
BDU:2025-02197
MEDIUM4.7

Уязвимость компонента Proxy Header Handler программного средства для управления идентификацией и доступом Keycloak, позволяющая нарушителю вызвать отказ в обслуживании

Опубликовано: 2025-03-03
CVSS 3.xСРЕДНЯЯ 4.7
CVSS:3.x/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0НИЗКАЯ 3.8
CVSS:2.0/AV:L/AC:H/Au:S/C:N/I:N/A:C
Ссылки
CVE-2021-44549
HIGH7.4

Apache Sling Commons Messaging Mail provides a simple layer on top of JavaMail/Jakarta Mail for OSGi to send mails via SMTPS. To reduce the risk of "man in the middle" attacks additional server identity checks must be performed when accessing mail servers. For compatibility reasons these additional checks are disabled by default in JavaMail/Jakarta Mail. The SimpleMailService in Apache Sling Commons Messaging Mail 1.0 lacks an option to enable these checks for the shared mail session. A user could enable these checks nevertheless by accessing the session via the message created by SimpleMessageBuilder and setting the property mail.smtps.ssl.checkserveridentity to true. Apache Sling Commons Messaging Mail 2.0 adds support for enabling server identity checks and these checks are enabled by default. - https://javaee.github.io/javamail/docs/SSLNOTES.txt - https://javaee.github.io/javamail/docs/api/com/sun/mail/smtp/package-summary.html - https://github.com/eclipse-ee4j/mail/issues/429

Опубликовано: 2021-12-14Изменено: 2024-11-21
CVSS 2.0СРЕДНЯЯ 5.8
CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSS 3.xВЫСОКАЯ 7.4
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Ссылки
CVE-2024-10270
MEDIUM6.5

A vulnerability was found in the Keycloak-services package. If untrusted data is passed to the SearchQueryUtils method, it could lead to a denial of service (DoS) scenario by exhausting system resources due to a Regex complexity.

Опубликовано: 2024-11-25Изменено: 2026-04-15
CVSS 3.xСРЕДНЯЯ 6.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Ссылки
CVE-2024-10451
MEDIUM5.9

A flaw was found in Keycloak. This issue occurs because sensitive runtime values, such as passwords, may be captured during the Keycloak build process and embedded as default values in bytecode, leading to unintended information disclosure. In Keycloak 26, sensitive data specified directly in environment variables during the build process is also stored as a default values, making it accessible during runtime. Indirect usage of environment variables for SPI options and Quarkus properties is also vulnerable due to unconditional expansion by PropertyMapper logic, capturing sensitive data as default values in all Keycloak versions up to 26.0.2.

Опубликовано: 2024-11-25Изменено: 2026-04-15
CVSS 3.xСРЕДНЯЯ 5.9
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Ссылки
CVE-2024-10492
LOW2.7

A vulnerability was found in Keycloak. A user with high privileges could read sensitive information from a Vault file that is not within the expected context. This attacker must have previous high access to the Keycloak server in order to perform resource creation, for example, an LDAP provider configuration and set up a Vault read file, which will only inform whether that file exists or not.

Опубликовано: 2024-11-25Изменено: 2026-04-15
CVSS 3.xНИЗКАЯ 2.7
CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Ссылки
CVE-2024-11734
MEDIUM6.5

A denial of service vulnerability was found in Keycloak that could allow an administrative user with the right to change realm settings to disrupt the service. This action is done by modifying any of the security headers and inserting newlines, which causes the Keycloak server to write to a request that has already been terminated, leading to the failure of said request.

Опубликовано: 2025-01-14Изменено: 2026-04-15
CVSS 3.xСРЕДНЯЯ 6.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Ссылки
CVE-2024-11736
MEDIUM4.9

A vulnerability was found in Keycloak. Admin users may have to access sensitive server environment variables and system properties through user-configurable URLs. When configuring backchannel logout URLs or admin URLs, admin users can include placeholders like ${env.VARNAME} or ${PROPNAME}. The server replaces these placeholders with the actual values of environment variables or system properties during URL processing.

Опубликовано: 2025-01-14Изменено: 2026-04-15
CVSS 3.xСРЕДНЯЯ 4.9
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Ссылки
CVE-2024-7260
MEDIUM6.1

An open redirect vulnerability was found in Keycloak. A specially crafted URL can be constructed where the referrer and referrer_uri parameters are made to trick a user to visit a malicious webpage. A trusted URL can trick users and automation into believing that the URL is safe, when, in fact, it redirects to a malicious server. This issue can result in a victim inadvertently trusting the destination of the redirect, potentially leading to a successful phishing attack or other types of attacks. Once a crafted URL is made, it can be sent to a Keycloak admin via email for example. This will trigger this vulnerability when the user visits the page and clicks the link. A malicious actor can use this to target users they know are Keycloak admins for further attacks. It may also be possible to bypass other domain-related security checks, such as supplying this as a OAuth redirect uri. The malicious actor can further obfuscate the redirect_uri using URL encoding, to hide the text of the actual malicious website domain.

Опубликовано: 2024-09-09Изменено: 2024-10-01
CVSS 3.xСРЕДНЯЯ 6.1
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Ссылки
CVE-2024-7341
HIGH7.1

A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation.

Опубликовано: 2024-09-09Изменено: 2026-03-27
CVSS 3.xВЫСОКАЯ 7.1
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Ссылки
CVE-2024-8698
HIGH7.7

A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks.

Опубликовано: 2024-09-19Изменено: 2026-04-15
CVSS 3.xВЫСОКАЯ 7.7
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L
Ссылки
CVE-2024-8883
MEDIUM6.1

A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking.

Опубликовано: 2024-09-19Изменено: 2024-11-26
CVSS 3.xСРЕДНЯЯ 6.1
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Ссылки
CVE-2024-9666
MEDIUM4.7

A vulnerability was found in the Keycloak Server. The Keycloak Server is vulnerable to a denial of service (DoS) attack due to improper handling of proxy headers. When Keycloak is configured to accept incoming proxy headers, it may accept non-IP values, such as obfuscated identifiers, without proper validation. This issue can lead to costly DNS resolution operations, which an attacker could exploit to tie up IO threads and potentially cause a denial of service. The attacker must have access to send requests to a Keycloak instance that is configured to accept proxy headers, specifically when reverse proxies do not overwrite incoming headers, and Keycloak is configured to trust these headers.

Опубликовано: 2024-11-25Изменено: 2026-04-15
CVSS 3.xСРЕДНЯЯ 4.7
CVSS:3.x/CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Ссылки
GHSA-5545-r4hg-rj4m
MEDIUM5.1

Keycloak Path Traversal Vulnerability Due to External Control of File Name or Path

Опубликовано: 2024-11-25
CVSS 3.xСРЕДНЯЯ 5.1
CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
CVSS 4.0СРЕДНЯЯ 5.1
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Ссылки
GHSA-5rxp-2rhr-qwqv
HIGH7.1

Keycloak has session fixation in Elytron SAML adapters

Опубликовано: 2024-10-14Изменено: 2024-12-20
CVSS 3.xВЫСОКАЯ 7.1
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Ссылки
GHSA-c69w-jj56-834w
HIGH7.4

Improper Certificate Validation and Improper Validation of Certificate with Host Mismatch in Apache Sling Commons Messaging Mail

Опубликовано: 2021-12-16Изменено: 2022-01-04
CVSS 3.xВЫСОКАЯ 7.4
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Ссылки
GHSA-f4v7-3mww-9gc2
MEDIUM4.9

Keycloak allows unrestricted admin use of system and environment variables

Опубликовано: 2025-01-13Изменено: 2025-01-14
CVSS 3.xСРЕДНЯЯ 4.9
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Ссылки
GHSA-g4gc-rh26-m3p5
MEDIUM4.8

Keycloak Open Redirect vulnerability

Опубликовано: 2024-09-10Изменено: 2024-09-10
CVSS 3.xСРЕДНЯЯ 4.8
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
CVSS 4.0СРЕДНЯЯ 4.8
CVSS:4.0/CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Ссылки
GHSA-jgwc-jh89-rpgq
MEDIUM5.7

Keycloak proxy header handling Denial-of-Service (DoS) vulnerability

Опубликовано: 2024-11-25
CVSS 3.xСРЕДНЯЯ 5.7
CVSS:3.x/CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
CVSS 4.0СРЕДНЯЯ 5.7
CVSS:4.0/CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Ссылки
GHSA-v7gv-xpgf-6395
HIGH8.2

Keycloak Build Process Exposes Sensitive Data

Опубликовано: 2024-11-25
CVSS 3.xВЫСОКАЯ 8.2
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0ВЫСОКАЯ 8.2
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Ссылки
GHSA-w3g8-r9gw-qrh8
MEDIUM6.5

Denial of Service in Keycloak Server via Security Headers

Опубликовано: 2025-01-13Изменено: 2025-01-14
CVSS 3.xСРЕДНЯЯ 6.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Ссылки
GHSA-w8gr-xwp4-r9f7
MEDIUM6.1

Keycloak has Vulnerable Redirect URI Validation Results in Open Redirect

Опубликовано: 2024-10-14Изменено: 2024-12-20
CVSS 3.xСРЕДНЯЯ 6.1
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Ссылки
GHSA-wq8x-cg39-8mrr
HIGH7.1

org.keycloak:keycloak-services has Inefficient Regular Expression Complexity

Опубликовано: 2024-11-25Изменено: 2024-11-25
CVSS 3.xВЫСОКАЯ 7.1
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVSS 4.0ВЫСОКАЯ 7.1
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Ссылки
GHSA-xgfv-xpx8-qhcr
HIGH7.7

Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak

Опубликовано: 2024-10-14Изменено: 2024-12-20
CVSS 3.xВЫСОКАЯ 7.7
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L
Ссылки

Закрытые ошибки (1)

Ошибка #50434

Заменяется настроенный конфиг файл после обновления