Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestions search

All statuses
Filter by:
With package: python313Packages.python-keycloak

Found 2 matching suggestions

View:
Compact
Detailed
Untriaged
Permalink CVE-2025-12150
3.1 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
created 3 months ago Activity log
  • Created suggestion 3 months ago
Org.keycloak/keycloak-services: webauthn attestation statement verification bypass

A flaw was found in Keycloak’s WebAuthn registration component. This vulnerability allows an attacker to bypass the configured attestation policy and register untrusted or forged authenticators via submission of an attestation object with fmt: "none", even when the realm is configured to require direct attestation. This can lead to weakened authentication integrity and unauthorized authenticator registration.

References

Affected products

keycloak
  • <26.4.4
rhbk/keycloak-rhel9
  • *
rhbk/keycloak-rhel9-operator
  • *
rhbk/keycloak-operator-bundle
  • *
org.keycloak/keycloak-services
Red Hat build of Keycloak 26.2.11

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

Package maintainers

Published
Permalink CVE-2023-4727
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Adjacent (A)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Adjacent (A)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 8 months ago by @Erethon Activity log
  • Created suggestion 9 months, 4 weeks ago
  • @Erethon accepted 8 months ago
  • @Erethon published on GitHub 8 months ago
Ca: token authentication bypass vulnerability

A flaw was found in dogtag-pki and pki-core. The token authentication scheme can be bypassed with a LDAP injection. By passing the query string parameter sessionID=*, an attacker can authenticate with an existing session saved in the LDAP directory server, which may lead to escalation of privilege.

References

Affected products

keycloak
  • <11.5.1
pki-core
  • *
pki-core:10.6
  • *
redhat-pki:10
  • *
pki-core:10.6/pki-core
redhat-pki:10/pki-core

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

Package maintainers