Security

In Authentik versions prior to 2024.8.3 and 2024.6.5 a medium severity vulnerability CVE-2024-47077 was detected. This vulnerability allows attackers to steal access tokens from one application and use them to access or impersonate users in other applications without authorization. To fix this issue, users should upgrade Authentik to versions 2024.8.3 or 2024.6.5. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-47077.

In Keycloak versions before version 24.0.8 a medium severity vulnerability CVE-2024-8883 was detected. This vulnerability allows attackers to redirect users to fake websites, potentially stealing sensitive information like login details and taking over user accounts. To fix this issue, users should upgrade Keycloak to version 25.0.5. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-8883.

In Keycloak versions before version 24.0.0 a critical severity vulnerability CVE-2024-8698 was detected. This vulnerability allows attackers to trick the system into accepting fake SAML messages, which could lead to unauthorized access or impersonation of users. To fix this issue, users should upgrade Keycloak to version 24.0.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-8698.

In Traefik versions prior to 2.11.9 and 3.1.3 a critical severity vulnerability CVE-2024-45410 was detected. This vulnerability allows attackers to remove or modify certain HTTP headers, such as X-Forwarded-Host or X-Forwarded-Port, before requests are routed to the application. This manipulation can lead to security implications, as the application may trust these header values. To address this issue, users are advised to upgrade to versions 2.11.9 or 3.1.3. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-45410.

In Keycloak versions before 22.0.1 a high severity vulnerability CVE-2024-7341 was detected. This vulnerability allows attackers to take over a user’s session before they log in, giving them control of the account when the user signs in. To fix this issue, users should upgrade Keycloak to version 22.0.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-7341.

In Keycloak versions before 25.0.6 a medium severity vulnerability CVE-2023-6841 was detected. This vulnerability allows attackers to initiate a denial of service by sending repeated HTTP requests, causing resource exhaustion. To fix this issue, users should upgrade Keycloak to version 25.0.6. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2023-6841.

In Keycloak versions prior to 24.0.6 a medium severity vulnerability CVE-2024-7318 was detected. This vulnerability allows expired OTP codes to remain valid for an extra 30 seconds, extending the attack window and making two OTPs valid simultaneously. To fix this problem, users should upgrade Keycloak to version 24.0.7. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-7318.

In Keycloak versions before 24.0.7 a medium severity vulnerability CVE-2024-7260 was detected. This vulnerability allows attackers to craft a URL that tricks users or automation into visiting a malicious webpage by exploiting the referrer and referrer_uri parameters. To fix this issue, administrators should carefully validate and sanitize URL parameters and upgrate to 24.0.7 version. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-7260.

In Keycloak all versions a low severity vulnerability CVE-2024-5203 was detected. This vulnerability allows attackers to craft a fake login page and trick users into authenticating with an attacker-controlled account due to a missing unique token in the authentication POST request. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-5203.