Nixpkgs security tracker

Login with GitHub

Suggestions search

Published
Filter by:
With package: keycloak

Found 2 matching suggestions

View:
Compact
Detailed
Permalink CVE-2025-12110
5.4 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 4 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 4 weeks ago
  • @LeSuisse ignored
    4 packages
    • terraform-providers.keycloak
    • python312Packages.python-keycloak
    • python313Packages.python-keycloak
    • terraform-providers.keycloak_keycloak
    4 months, 4 weeks ago
  • @LeSuisse accepted 4 months, 4 weeks ago
  • @LeSuisse published on GitHub 4 months, 4 weeks ago
Keycloak: org.keycloak:keycloak-services: user can refresh offline session even after client's offline_access scope was removed

A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and assumes that offline sessions are no longer available, but they are.

References

Affected products

keycloak
  • <26.4.3
keycloak-server
rhbk/keycloak-rhel9
  • *
rhbk/keycloak-rhel9-operator
  • *
rhbk/keycloak-operator-bundle
  • *
Red Hat build of Keycloak 26.2.11

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

Ignored packages (4)

Package maintainers

Upstream fix: https://github.com/keycloak/keycloak/commit/e0c1f2ee0fd14ba76338d9c2c213d45d0e857450
Permalink CVE-2025-11429
5.4 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 4 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 4 weeks ago
  • @LeSuisse ignored
    4 packages
    • terraform-providers.keycloak
    • python312Packages.python-keycloak
    • python313Packages.python-keycloak
    • terraform-providers.keycloak_keycloak
    4 months, 4 weeks ago
  • @LeSuisse accepted 4 months, 4 weeks ago
  • @LeSuisse published on GitHub 4 months, 4 weeks ago
Keycloak-server: too long and not settings compliant session

A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the "Remember Me" realm setting on existing user sessions. Sessions created while "Remember Me" was active retain their extended session lifetime until they expire, overriding the administrator's recent security configuration change. This is a logic flaw in session management increases the potential window for successful session hijacking or unauthorized long-term access persistence. The flaw lies in the session expiration logic relying on the session-local "remember-me" flag without validating the current realm-level configuration.

Affected products

keycloak
  • <26.4.1
rhbk/keycloak-rhel9
  • *
rhbk/keycloak-rhel9-operator
  • *
rhbk/keycloak-operator-bundle
  • *
Red Hat build of Keycloak 26.2.11

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

Ignored packages (4)

Package maintainers

Upstream fix: https://github.com/keycloak/keycloak/commit/a34094100716b7c69ae38eaed6678ab4344d0a1d