Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestions search

Untriaged
Filter by:
With package: python311Packages.python-keycloak

Found 17 matching suggestions

View:
Compact
Detailed
Permalink CVE-2023-6484
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 8 months ago
Keycloak: log injection during webauthn authentication or registration

A log injection flaw was found in Keycloak. A text string may be injected through the authentication form when using the WebAuthn authentication mode. This issue may have a minor impact to the logs integrity.

References

Affected products

keycloak
  • <22.0.9
  • <23.0.5
rh-sso7-keycloak
  • *
rhbk/keycloak-rhel9
  • *
keycloak-rhel9-container
rh-sso-7/sso7-rhel8-operator
  • *
rhbk/keycloak-rhel9-operator
  • *
rhbk/keycloak-operator-bundle
  • *
rh-sso-7/sso76-openshift-rhel8
  • *
Red Hat build of Keycloak 22.0.10
keycloak-rhel9-operator-container
rh-sso-7/sso7-rhel8-init-container
  • *
rh-sso-7/sso7-rhel8-operator-bundle
  • *
keycloak-rhel9-operator-bundle-container

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

Package maintainers

Permalink CVE-2024-5967
2.7 LOW
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 8 months ago
Keycloak: leak of configured ldap bind credentials through the keycloak admin console

A vulnerability was found in Keycloak. The LDAP testing endpoint allows changing the Connection URL  independently without re-entering the currently configured LDAP bind credentials. This flaw allows an attacker with admin access (permission manage-realm) to change the LDAP host URL ("Connection URL") to a machine they control. The Keycloak server will connect to the attacker's host and try to authenticate with the configured credentials, thus leaking them to the attacker. As a consequence, an attacker who has compromised the admin console or compromised a user with sufficient privileges can leak domain credentials and attack the domain.

References

Affected products

keycloak
  • <25.0.1
  • <24.0.6
  • <22.0.12
keycloak-core
rh-sso7-keycloak
  • *
rhbk/keycloak-rhel9
  • *
rhbk/keycloak-rhel9-operator
  • *
rhbk/keycloak-operator-bundle
  • *
rh-sso-7/sso76-openshift-rhel8
  • *

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

Package maintainers

Permalink CVE-2024-4540
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 8 months ago
Keycloak: exposure of sensitive information in pushed authorization requests (par) kc_restart cookie

A flaw was found in Keycloak in OAuth 2.0 Pushed Authorization Requests (PAR). Client-provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization server's HTTP response to a `request_uri` authorization request, possibly leading to an information disclosure vulnerability.

References

Affected products

keycloak
  • *
keycloak-core
rh-sso7-keycloak
  • *
rhbk/keycloak-rhel9
  • *
rhbk/keycloak-rhel9-operator
  • *
rhbk/keycloak-operator-bundle
  • *
rh-sso-7/sso76-openshift-rhel8
  • *

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

Package maintainers

Permalink CVE-2025-3910
5.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 8 months, 2 weeks ago
Org.keycloak.authentication: two factor authentication bypass

A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumventing required actions, allowing users to circumvent requirements such as setting up two-factor authentication.

References

Affected products

keycloak
  • <25.*
  • <26.2.2
  • <26.0.11
  • <26.1.*
rhbk/keycloak-rhel9
  • *
keycloak-rhel9-container
  • *
org.keycloak.authentication
rhbk/keycloak-rhel9-operator
  • *
rhbk/keycloak-operator-bundle
  • *
keycloak-rhel9-operator-container
  • *
keycloak-rhel9-operator-bundle-container
  • *

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

Package maintainers

Permalink CVE-2025-5416
2.7 LOW
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 9 months, 3 weeks ago
Keycloak-core: keycloak environment information

A vulnerability has been identified in Keycloak that could lead to unauthorized information disclosure. While it requires an already authenticated user, the /admin/serverinfo endpoint can inadvertently provide sensitive environment information.

References

Affected products

keycloak

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

Package maintainers

Permalink CVE-2025-2559
4.9 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 10 months, 3 weeks ago
Org.keycloak/keycloak-services: jwt token cache exhaustion leading to denial of service (dos) in keycloak

A flaw was found in Keycloak. When the configuration uses JWT tokens for authentication, the tokens are cached until expiration. If a client uses JWT tokens with an excessively long expiration time, for example, 24 or 48 hours, the cache can grow indefinitely, leading to an OutOfMemoryError. This issue could result in a denial of service condition, preventing legitimate users from accessing the system.

References

Affected products

keycloak
  • <26.0.11
  • <26.1.5
keycloak-services
rhbk/keycloak-rhel9
  • *
keycloak-rhel9-container
  • *
rhbk/keycloak-rhel9-operator
  • *
rhbk/keycloak-operator-bundle
  • *
keycloak-rhel9-operator-container
  • *
keycloak-rhel9-operator-bundle-container
  • *

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

Package maintainers

Permalink CVE-2025-3501
8.2 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 11 months, 2 weeks ago
Org.keycloak.protocol.services: keycloak hostname verification

A flaw was found in Keycloak. By setting a verification policy to 'ALL', the trust store certificate verification is skipped, which is unintended.

References

Affected products

keycloak
  • <25.*
  • <26.2.2
  • <26.1.*
  • <26.0.11
rh-sso7-keycloak
rhbk/keycloak-rhel9
  • *
keycloak-rhel9-container
  • *
Red Hat build of Keycloak 26
rhbk/keycloak-rhel9-operator
  • *
rhbk/keycloak-operator-bundle
  • *
keycloak-rhel9-operator-container
  • *
keycloak-rhel9-operator-bundle-container
  • *

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

Package maintainers

Permalink CVE-2024-11734
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 1 year ago
Org.keycloak:keycloak-quarkus-server: denial of service in keycloak server via security headers

A denial of service vulnerability was found in Keycloak that could allow an administrative user with the right to change realm settings to disrupt the service. This action is done by modifying any of the security headers and inserting newlines, which causes the Keycloak server to write to a request that has already been terminated, leading to the failure of said request.

References

Affected products

keycloak
  • <26.0.8
rhbk/keycloak-rhel9
  • *
rhbk/keycloak-rhel9-operator
  • *
rhbk/keycloak-operator-bundle
  • *
org.keycloak/keycloak-quarkus-server

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

Package maintainers

Permalink CVE-2024-11736
4.9 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 1 year ago
Org.keycloak:keycloak-quarkus-server: unrestricted admin use of system and environment variables

A vulnerability was found in Keycloak. Admin users may have to access sensitive server environment variables and system properties through user-configurable URLs. When configuring backchannel logout URLs or admin URLs, admin users can include placeholders like ${env.VARNAME} or ${PROPNAME}. The server replaces these placeholders with the actual values of environment variables or system properties during URL processing.

References

Affected products

keycloak
  • <26.0.8
rhbk/keycloak-rhel9
  • *
rhbk/keycloak-rhel9-operator
  • *
rhbk/keycloak-operator-bundle
  • *
org.keycloak/keycloak-quarkus-server

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

Package maintainers

Permalink CVE-2024-4028
3.8 LOW
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 1 year ago
Keycloak-core: stored xss in keycloak when creating a items in admin console

A vulnerability was found in Keycloak. This issue may allow a privileged attacker to use a malicious payload as the permission while creating items (Resource and Permissions) from the admin console, leading to a stored cross-site scripting (XSS) attack.

References

Affected products

keycloak
  • <18.0.8
keycloak-core
rh-sso7-keycloak

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

Package maintainers