org.keycloak:keycloak-services@10.0.0 vulnerabilities latest version 26.5.1 first published 12 years ago latest version published 1 months ago licenses detected Apache-2.0 [1.0-alpha-1,) package registry View on Maven Central Repository Go back to all versions of this package Report a new vulnerability Found a mistake? Direct Vulnerabilities Known vulnerabilities in the org.keycloak:keycloak-services package. This does not include vulnerabilities belonging to this package’s dependencies. Fix vulnerabilities automatically Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost. Fix for free L Authorization Bypass Through User-Controlled Key org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the Admin API when the Organizations feature is enabled. An authenticated attacker can enumerate the organization memberships of any other user if their unique identifier (UUID) is known. Note: This is only exploitable if the Organizations feature is enabled (which is the default in recent versions), the attacker possesses a valid access token for the realm and the attacker knows the UUID of the victim user. How to fix Authorization Bypass Through User-Controlled Key? There is no fixed version for org.keycloak:keycloak-services . [0,) H Improper Verification of Cryptographic Signature org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the invitation tokens in the registration process. An attacker can gain unauthorized access to organizations by modifying the organization ID and target email within a legitimate invitation token's JWT payload. How to fix Improper Verification of Cryptographic Signature? Upgrade org.keycloak:keycloak-services to version 26.5.3 or higher. [,26.5.3) H Improperly Implemented Security Check for Standard org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improperly Implemented Security Check for Standard due to improper verification if an Identity Provider (IdP) is enabled before issuing tokens. An attacker can gain unauthorized access by issuing valid access tokens using a disabled Identity Provider's signing key. How to fix Improperly Implemented Security Check for Standard? Upgrade org.keycloak:keycloak-services to version 26.5.3 or higher. [,26.5.3) M Incorrect Privilege Assignment org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Incorrect Privilege Assignment due to insufficient ownership verification in the UserManagedPermissionService (UMA Protection API). An attacker can gain unauthorized access to modify or delete authorization rules for resources they do not own by updating or deleting a policy associated with multiple resources, where the authorization check only validates ownership of the first resource in the list. How to fix Incorrect Privilege Assignment? Upgrade org.keycloak:keycloak-services to version 26.5.3 or higher. [,26.5.3) M Server-side Request Forgery (SSRF) org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via insufficient validation of the backchannel_client_notification_endpoint , which is configured during client registration or administration. A privileged user can make unauthorized requests to internal services, but cannot access the responses. How to fix Server-side Request Forgery (SSRF)? There is no fixed version for org.keycloak:keycloak-services . [0,) H Improper Enforcement of Behavioral Workflow org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Enforcement of Behavioral Workflow via the Token Exchange implementation. An attacker can obtain access and refresh tokens for users who have been disabled by invoking the token exchange flow with a privileged client, potentially resulting in unauthorized access to previously revoked privileges. How to fix Improper Enforcement of Behavioral Workflow? Upgrade org.keycloak:keycloak-services to version 26.5.2 or higher. [,26.5.2) L Time-of-check Time-of-use (TOCTOU) Race Condition org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this