Vulnerabilities

 2 via 12 paths

Dependencies

 61

Source

 GitHub

Commit

 d418c373

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 1
  • 1
Status
  • 2
  • 0
  • 0

medium severity

Unprotected Transport of Credentials

  • Vulnerable module: org.keycloak:keycloak-core
  • Introduced through: org.keycloak:keycloak-spring-boot-starter@24.0.5

Detailed paths

  • Introduced through: mkazinauskas/spring-boot-keycloak@mkazinauskas/spring-boot-keycloak#d418c3735ec066a1883de95a330441107b927a85 org.keycloak:keycloak-spring-boot-starter@24.0.5 org.keycloak:keycloak-authz-client@24.0.5 org.keycloak:keycloak-core@24.0.5
  • Introduced through: mkazinauskas/spring-boot-keycloak@mkazinauskas/spring-boot-keycloak#d418c3735ec066a1883de95a330441107b927a85 org.keycloak:keycloak-spring-boot-starter@24.0.5 org.keycloak:keycloak-spring-security-adapter@24.0.5 org.keycloak:keycloak-core@24.0.5
  • Introduced through: mkazinauskas/spring-boot-keycloak@mkazinauskas/spring-boot-keycloak#d418c3735ec066a1883de95a330441107b927a85 org.keycloak:keycloak-spring-boot-starter@24.0.5 org.keycloak:keycloak-spring-boot-2-adapter@24.0.5 org.keycloak:keycloak-core@24.0.5
  • Introduced through: mkazinauskas/spring-boot-keycloak@mkazinauskas/spring-boot-keycloak#d418c3735ec066a1883de95a330441107b927a85 org.keycloak:keycloak-spring-boot-starter@24.0.5 org.keycloak:keycloak-spring-boot-2-adapter@24.0.5 org.keycloak:keycloak-spring-boot-adapter-core@24.0.5 org.keycloak:keycloak-core@24.0.5
  • Introduced through: mkazinauskas/spring-boot-keycloak@mkazinauskas/spring-boot-keycloak#d418c3735ec066a1883de95a330441107b927a85 org.keycloak:keycloak-spring-boot-starter@24.0.5 org.keycloak:keycloak-spring-boot-2-adapter@24.0.5 org.keycloak:keycloak-spring-security-adapter@24.0.5 org.keycloak:keycloak-core@24.0.5
  • Introduced through: mkazinauskas/spring-boot-keycloak@mkazinauskas/spring-boot-keycloak#d418c3735ec066a1883de95a330441107b927a85 org.keycloak:keycloak-spring-boot-starter@24.0.5 org.keycloak:keycloak-spring-security-adapter@24.0.5 org.keycloak:keycloak-policy-enforcer@24.0.5 org.keycloak:keycloak-authz-client@24.0.5 org.keycloak:keycloak-core@24.0.5
  • Introduced through: mkazinauskas/spring-boot-keycloak@mkazinauskas/spring-boot-keycloak#d418c3735ec066a1883de95a330441107b927a85 org.keycloak:keycloak-spring-boot-starter@24.0.5 org.keycloak:keycloak-spring-boot-2-adapter@24.0.5 org.keycloak:keycloak-spring-security-adapter@24.0.5 org.keycloak:keycloak-policy-enforcer@24.0.5 org.keycloak:keycloak-authz-client@24.0.5 org.keycloak:keycloak-core@24.0.5

Overview

org.keycloak:keycloak-core is an open source identity and access management solution.

Affected versions of this package are vulnerable to Unprotected Transport of Credentials for the LDAP testing endpoint, which allows the modification of the Connection URL without entering the LDAP bind credentials. An attacker with manage-realm permission can redirect the LDAP host to an arbitrary URL.

Remediation

Upgrade org.keycloak:keycloak-core to version 24.0.6, 25.0.1 or higher.

References

Unprotected Transport of Credentials vulnerability report

low severity

Information Exposure

  • Vulnerable module: commons-codec:commons-codec
  • Introduced through: org.keycloak:keycloak-spring-boot-starter@24.0.5

Detailed paths

  • Introduced through: mkazinauskas/spring-boot-keycloak@mkazinauskas/spring-boot-keycloak#d418c3735ec066a1883de95a330441107b927a85 org.keycloak:keycloak-spring-boot-starter@24.0.5 org.keycloak:keycloak-authz-client@24.0.5 org.apache.httpcomponents:httpclient@4.5.14 commons-codec:commons-codec@1.11
  • Introduced through: mkazinauskas/spring-boot-keycloak@mkazinauskas/spring-boot-keycloak#d418c3735ec066a1883de95a330441107b927a85 org.keycloak:keycloak-spring-boot-starter@24.0.5 org.keycloak:keycloak-spring-security-adapter@24.0.5 org.apache.httpcomponents:httpclient@4.5.14 commons-codec:commons-codec@1.11
  • Introduced through: mkazinauskas/spring-boot-keycloak@mkazinauskas/spring-boot-keycloak#d418c3735ec066a1883de95a330441107b927a85 org.keycloak:keycloak-spring-boot-starter@24.0.5 org.keycloak:keycloak-spring-boot-2-adapter@24.0.5 org.keycloak:keycloak-spring-security-adapter@24.0.5 org.apache.httpcomponents:httpclient@4.5.14 commons-codec:commons-codec@1.11
  • Introduced through: mkazinauskas/spring-boot-keycloak@mkazinauskas/spring-boot-keycloak#d418c3735ec066a1883de95a330441107b927a85 org.keycloak:keycloak-spring-boot-starter@24.0.5 org.keycloak:keycloak-spring-security-adapter@24.0.5 org.keycloak:keycloak-policy-enforcer@24.0.5 org.keycloak:keycloak-authz-client@24.0.5 org.apache.httpcomponents:httpclient@4.5.14 commons-codec:commons-codec@1.11
  • Introduced through: mkazinauskas/spring-boot-keycloak@mkazinauskas/spring-boot-keycloak#d418c3735ec066a1883de95a330441107b927a85 org.keycloak:keycloak-spring-boot-starter@24.0.5 org.keycloak:keycloak-spring-boot-2-adapter@24.0.5 org.keycloak:keycloak-spring-security-adapter@24.0.5 org.keycloak:keycloak-policy-enforcer@24.0.5 org.keycloak:keycloak-authz-client@24.0.5 org.apache.httpcomponents:httpclient@4.5.14 commons-codec:commons-codec@1.11

Overview

commons-codec:commons-codec is a package that contains simple encoder and decoders for various formats such as Base64 and Hexadecimal.

Affected versions of this package are vulnerable to Information Exposure. When there is no byte array value that can be encoded into a string the Base32 implementation does not reject it, and instead decodes it into an arbitrary value which can be re-encoded again using the same implementation. This allows for information exposure exploits such as tunneling additional information via seemingly valid base 32 strings.

Remediation

Upgrade commons-codec:commons-codec to version 1.13 or higher.

References

Information Exposure vulnerability report