Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestions search

All statuses
Filter by:
With package: terraform-providers.keycloak

Found 23 matching suggestions

View:
Compact
Detailed
Untriaged
Permalink CVE-2024-4629
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 1 year, 3 months ago
Keycloak: potential bypass of brute force protection

A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.

References

Affected products

keycloak
  • ==24.0.3
rh-sso7-keycloak
  • *
rhbk/keycloak-rhel9
  • *
org.keycloak-keycloak-parent
rhbk/keycloak-rhel9-operator
  • *
rhbk/keycloak-operator-bundle
  • *
rh-sso-7/sso76-openshift-rhel8
  • *

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

Package maintainers

Untriaged
Permalink CVE-2024-1132
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
created 1 year, 3 months ago
Keycloak: path transversal in redirection validation

A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field, and requires user interaction within the malicious URL.

References

Affected products

keycloak
  • <24.0.3
  • <22.0.10
upstream
keycloak-core
rh-sso7-keycloak
  • *
rhbk/keycloak-rhel9
  • *
Red Hat AMQ Broker 7
mtr/mtr-rhel8-operator
  • *
mtr/mtr-operator-bundle
  • *
mta/mta-windup-addon-rhel9
  • *
org.keycloak/keycloak-core
mtr/mtr-web-container-rhel8
  • *
org.keycloak-keycloak-parent
rhbk/keycloak-rhel9-operator
  • *
rhbk/keycloak-operator-bundle
  • *
rh-sso-7/sso76-openshift-rhel8
  • *
Red Hat build of Keycloak 22.0.10
mtr/mtr-web-executor-container-rhel8
  • *
org.wildfly.security-wildfly-elytron-parent

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

Package maintainers

Untriaged
Permalink CVE-2024-10973
5.7 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): ADJACENT_NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 1 year, 3 months ago
Keycloak: cli option for encrypted jgroups ignored

A vulnerability was found in Keycloak. The environment option `KC_CACHE_EMBEDDED_MTLS_ENABLED` does not work and the JGroups replication configuration is always used in plain text which can allow an attacker that has access to adjacent networks related to JGroups to read sensitive information.

References

Affected products

keycloak
  • *
  • <25.0
  • <23.0
org.keycloak/keycloak-quarkus-server

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

Package maintainers