Все бюллетени/sisyphus/ALT-PU-2026-3392-3
ALT-PU-2026-3392-3

Обновление пакета keycloak в ветке sisyphus

Версия26.5.4-alt1
Задание#408332
Опубликовано2026-03-19
Макс. серьёзностьMEDIUM
Серьёзность:

Закрытые проблемы (9)

CVE-2025-5416
LOW2.7

A vulnerability has been identified in Keycloak that could lead to unauthorized information disclosure. While it requires an already authenticated user, the /admin/serverinfo endpoint can inadvertently provide sensitive environment information.

Опубликовано: 2025-06-20Изменено: 2025-08-13
CVSS 3.xНИЗКАЯ 2.7
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Ссылки
CVE-2026-0707
MEDIUM5.3

A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer" authentication scheme. It accepts non-standard characters (such as tabs) as separators and tolerates case variations that deviate from RFC 6750 specifications.

Опубликовано: 2026-01-08Изменено: 2026-04-15
CVSS 3.xСРЕДНЯЯ 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Ссылки
CVE-2026-1190
LOW3.1

A flaw was found in Keycloak's SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the `NotOnOrAfter` timestamp within the `SubjectConfirmationData`. This allows an attacker to delay the expiration of SAML responses, potentially extending the time a response is considered valid and leading to unexpected session durations or resource consumption.

Опубликовано: 2026-01-26Изменено: 2026-04-15
CVSS 3.xНИЗКАЯ 3.1
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
Ссылки
CVE-2026-2575
MEDIUM5.3

A flaw was found in Keycloak. An unauthenticated remote attacker can trigger an application level Denial of Service (DoS) by sending a highly compressed SAMLRequest through the SAML Redirect Binding. The server fails to enforce size limits during DEFLATE decompression, leading to an OutOfMemoryError (OOM) and subsequent process termination. This vulnerability allows an attacker to disrupt the availability of the service.

Опубликовано: 2026-03-18Изменено: 2026-03-18
CVSS 3.xСРЕДНЯЯ 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Ссылки
CVE-2026-2733
LOW3.8

A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a result, previously valid credentials can still be used to obtain authentication tokens. This weakens administrative controls and could allow unintended access to container registry resources.

Опубликовано: 2026-02-19Изменено: 2026-04-15
CVSS 3.xНИЗКАЯ 3.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
Ссылки
GHSA-63v5-26vq-m4vm
LOW3.1

Keycloak's missing timestamp validation allows attackers to extend SAML response validity periods

Опубликовано: 2026-01-27Изменено: 2026-03-06
CVSS 3.xНИЗКАЯ 3.1
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
Ссылки
GHSA-fjf4-6f34-w64q
LOW3.8

Keycloak: Missing Check on Disabled Client for Docker Registry Protocol

Опубликовано: 2026-02-19Изменено: 2026-03-06
CVSS 3.xНИЗКАЯ 3.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
Ссылки
GHSA-gv94-wp4h-vv8p
MEDIUM5.3

Keycloak has Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

Опубликовано: 2026-01-08Изменено: 2026-03-06
CVSS 3.xСРЕДНЯЯ 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Ссылки
GHSA-xv6h-r36f-3gp5
MEDIUM5.3

Keycloak: Denial of Service due to excessive SAMLRequest decompression

Опубликовано: 2026-03-18Изменено: 2026-03-18
CVSS 3.xСРЕДНЯЯ 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Ссылки

Закрытые ошибки (1)

Ошибка #57787

Необходимо запускать сервис от непривелегированного пользователя