Vulnerabilities

2 via 2 paths

Dependencies

145

Source

GitHub

Find, fix and prevent vulnerabilities in your code.

Severity
  • 2
Status
  • 2
  • 0
  • 0

medium severity

Open Redirect

  • Vulnerable module: keycloak-connect
  • Introduced through: keycloak-connect@11.0.3

Detailed paths

  • Introduced through: simple-keycloak@SmartBlug/simple-keycloak keycloak-connect@11.0.3
    Remediation: Upgrade to keycloak-connect@21.0.1.

Overview

keycloak-connect is a Identity and Access Management solution for modern Applications and Services.

Affected versions of this package are vulnerable to Open Redirect. via the checkSso function. checkSSO function uses the query param 'prompt=none' when forwarding the request to KeyCloak. This may allow authenticating the user without interaction as long as the user is already authenticated with KeyCloak.

Note: This package is deprecated and will be removed in the future.

Remediation

Upgrade keycloak-connect to version 21.0.1 or higher.

References

medium severity

Use of a Cryptographic Primitive with a Risky Implementation

  • Vulnerable module: elliptic
  • Introduced through: keycloak-connect@11.0.3

Detailed paths

  • Introduced through: simple-keycloak@SmartBlug/simple-keycloak keycloak-connect@11.0.3 jwk-to-pem@2.0.7 elliptic@6.6.1

Overview

elliptic is a fast elliptic-curve cryptography implementation in plain javascript.

Affected versions of this package are vulnerable to Use of a Cryptographic Primitive with a Risky Implementation due to the incorrect computation of the byte-length of k value with leading zeros resulting in its truncation. An attacker can obtain the secret key by analyzing both a faulty signature generated by a vulnerable implementation and a correct signature for the same inputs.

Note:

There is a distinct but related issue CVE-2024-48948.

Remediation

There is no fixed version for elliptic.

References