Security

In Keycloak versions before version 24.0.8 a medium severity vulnerability CVE-2024-8883 was detected. This vulnerability allows attackers to redirect users to fake websites, potentially stealing sensitive information like login details and taking over user accounts. To fix this issue, users should upgrade Keycloak to version 25.0.5. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-8883.

In Keycloak versions before version 24.0.0 a critical severity vulnerability CVE-2024-8698 was detected. This vulnerability allows attackers to trick the system into accepting fake SAML messages, which could lead to unauthorized access or impersonation of users. To fix this issue, users should upgrade Keycloak to version 24.0.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-8698.

In Traefik versions prior to 2.11.9 and 3.1.3 a critical severity vulnerability CVE-2024-45410 was detected. This vulnerability allows attackers to remove or modify certain HTTP headers, such as X-Forwarded-Host or X-Forwarded-Port, before requests are routed to the application. This manipulation can lead to security implications, as the application may trust these header values. To address this issue, users are advised to upgrade to versions 2.11.9 or 3.1.3. There are no known workarounds for this vulnerability. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-45410.

In Keycloak versions before 22.0.1 a high severity vulnerability CVE-2024-7341 was detected. This vulnerability allows attackers to take over a user’s session before they log in, giving them control of the account when the user signs in. To fix this issue, users should upgrade Keycloak to version 22.0.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-7341.

In Keycloak versions before 25.0.6 a medium severity vulnerability CVE-2023-6841 was detected. This vulnerability allows attackers to initiate a denial of service by sending repeated HTTP requests, causing resource exhaustion. To fix this issue users should upgrade to version 25.0.6. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2023-6841.

In Keycloak versions 0 through 24.0.6 a medium severity vulnerability CVE-2024-7318 was detected. This vulnerability allows expired OTP codes to remain valid for an extra 30 seconds, extending the attack window and making two OTPs valid simultaneously. To fix this problem, users should upgrade to version 24.0.7. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-7318.

In Keycloak versions before 24.0.7 a medium severity vulnerability CVE-2024-7260 was detected. This vulnerability allows attackers to craft a URL that tricks users or automation into visiting a malicious webpage by exploiting the referrer and referrer_uri parameters. To fix this issue, administrators should carefully validate and sanitize URL parameters and upgrate to 24.0.7 version. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-7260.

In Keycloak all versions a low severity vulnerability CVE-2024-5203 was detected. This vulnerability allows attackers to craft a fake login page and trick users into authenticating with an attacker-controlled account due to a missing unique token in the authentication POST request. There is no fixed version for Keycloak. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-5203.

In Keycloak in OAuth 2.0 Pushed Authorization Requests (PAR) a high severity vulnerability CVE-2024-4540 was detected. Client-provided parameters in plain text were found in the KC_RESTART cookie, potentially leading to an information disclosure vulnerability. There’s no fix available for this issue at the moment. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-4540.