Redhat: >> Single Sign-On >> 7.4.7 Security Vulnerabilities
A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the result of an incomplete fix for CVE-2020-10748.
CVSS Score
4.6
EPSS Score
0.018
Published
2023-12-14
A flaw was found in Keycloaks OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session tokens. This issue could impact confidentiality, integrity, and availability.
CVSS Score
5.0
EPSS Score
0.034
Published
2023-08-04
A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow.
CVSS Score
7.5
EPSS Score
0.001
Published
2022-08-26
A flaw was found in keycloak where keycloak may fail to logout user session if the logout request comes from external SAML identity provider and Principal Type is set to Attribute [Name].
CVSS Score
7.1
EPSS Score
0.001
Published
2022-04-01