Nixpkgs security tracker

Login with GitHub

Suggestions search

Untriaged
Filter by:
With package: terraform-providers.keycloak

Found 3 matching suggestions

View:
Compact
Detailed
Permalink CVE-2025-10044
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 7 months, 1 week ago Activity log
  • Created suggestion 7 months, 1 week ago
Keycloak: keycloak error_description injection on error pages

A flaw was found in Keycloak. Keycloak’s account console and other pages accept arbitrary text in the error_description query parameter. This text is directly rendered in error pages without validation or sanitization. While HTML encoding prevents XSS, an attacker can craft URLs with misleading messages (e.g., fake support phone numbers or URLs), which are displayed within the trusted Keycloak UI. This creates a phishing vector, potentially tricking users into contacting malicious actors.

References

Affected products

keycloak
  • <26.2.9
rhbk/keycloak-rhel9
  • *
rhbk/keycloak-rhel9-operator
  • *
rhbk/keycloak-operator-bundle
  • *
Red Hat build of Keycloak 26.2.9

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

  • nixos-unstable -

Package maintainers

Permalink CVE-2025-3910
5.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 7 months, 1 week ago Activity log
  • Created suggestion 7 months, 1 week ago
Org.keycloak.authentication: two factor authentication bypass

A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumventing required actions, allowing users to circumvent requirements such as setting up two-factor authentication.

References

Affected products

keycloak
  • <26.1.*
  • <26.2.2
  • <25.*
  • <26.0.11
rhbk/keycloak-rhel9
  • *
keycloak-rhel9-container
  • *
org.keycloak.authentication
rhbk/keycloak-rhel9-operator
  • *
rhbk/keycloak-operator-bundle
  • *
keycloak-rhel9-operator-container
  • *
keycloak-rhel9-operator-bundle-container
  • *

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

  • nixos-unstable -

Package maintainers

Permalink CVE-2025-3501
8.2 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 7 months, 1 week ago Activity log
  • Created suggestion 7 months, 1 week ago
Org.keycloak.protocol.services: keycloak hostname verification

A flaw was found in Keycloak. By setting a verification policy to 'ALL', the trust store certificate verification is skipped, which is unintended.

References

Affected products

keycloak
  • <26.1.*
  • <26.2.2
  • <25.*
  • <26.0.11
rh-sso7-keycloak
rhbk/keycloak-rhel9
  • *
keycloak-rhel9-container
  • *
Red Hat build of Keycloak 26
rhbk/keycloak-rhel9-operator
  • *
rhbk/keycloak-operator-bundle
  • *
keycloak-rhel9-operator-container
  • *
keycloak-rhel9-operator-bundle-container
  • *

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

  • nixos-unstable -

Package maintainers