List of known CVEs in Keycloak

sirishkumar · November 4, 2022, 8:20am

Is there a list of known CVEs in Keycloak? I was checking regarding the CVE NVD - CVE-2022-42889, but cannot find details anywhere.

And is the list maintained for RedHat keycloak version here Redhat Keycloak : List of security vulnerabilities valid for the image hosted at Quay? And also it does contain known vulnerabilities in version 19 onwards(Versions of Redhat Keycloak : Versions and number of related security vulnerabilities)

I tried raising this issue in GitHub forums, but did not get any reply.

rmoqpd5t · November 9, 2022, 3:47am

I feel it is safe to say that there isn’t a single list of all known CVEs in Keycloak and all of it’s included dependencies.

bpedersen2 · November 10, 2022, 10:27am

As for a secure deployment you typcially want to build your own version anyway, take a look at e.g. GitHub - thomasdarimont/keycloak-custom-server: Custom Keycloak.X Server Distribution with selective features to see how to just build a CVE-free version.

Topic		Replies	Views
Need help to mitigate the mentioned CVE's	3	478	August 19, 2022
Keycloak 26.1.0 Vulerability issue Getting advice	3	108	February 5, 2025
Harden keycloak image Getting advice	6	753	April 6, 2023
Avoiding Keycloak Security Vulnerabilities Getting advice	2	864	April 26, 2022
Inquiry about Keycloak's RHEL8 vulnerability response	0	20	October 3, 2024