Hi Keycloak,
We have been playing around with Keycloak since sometime now and found it
to be a wonderful product.
As the next step we were planning to use it on our production systems but
came across with the following vulnerabilities (gathered from *OWASP
Dependency Check <
https://www.owasp.org/index.php/OWASP_Dependency_Check> *
tool).
These vulnerabilities are now stopping us to adapt and use Keycloak as our
SSO solution.
I did not find any JIRA addressing this problem.
Can you please let us know if these concerns were raised earlier too or any
other path that can help us in mitigating the problem?
*Dependency*
*CPE*
*GAV*
*Highest Severity*
*CVE Count*
*CPE Confidence*
*Evidence Count*
*jackson-annotations-2.5.4.jar*
*cpe:/a:fasterxml:jackson:2.5.4*
*com.fasterxml.jackson.core:jackson-annotations:2.5.4
<
http://search.maven.org/#search|ga|1|1%3A%227a93b60f5d2d43024f34e15893552...
*Medium*
*1*
*LOW*
*25*
*jackson-core-2.5.4.jar*
*cpe:/a:fasterxml:jackson:2.5.4*
*com.fasterxml.jackson.core:jackson-core:2.5.4
<
http://search.maven.org/#search|ga|1|1%3A%220a57a2df1a23ca1ee32f129173ba7...
*Medium*
*1*
*LOW*
*25*
*jackson-databind-2.5.4.jar*
*cpe:/a:fasterxml:jackson:2.5.4*
*com.fasterxml.jackson.core:jackson-databind:2.5.4
<
http://search.maven.org/#search|ga|1|1%3A%225dfa42af84584b4a862ea488da84b...
*Medium*
*1*
*LOW*
*25*
*jackson-jaxrs-base-2.5.4.jar*
*cpe:/a:fasterxml:jackson:2.5.4*
*com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:2.5.4
<
http://search.maven.org/#search|ga|1|1%3A%228af261181ae4fb16ccce5e116fa25...
*High*
*2*
*LOW*
*24*
*netty-all-4.0.32.Final.jar*
*cpe:/a:netty_project:netty:4.0.32
<
https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cve...
*io.netty:netty-all:4.0.32.Final
<
http://search.maven.org/#search|ga|1|1%3A%22e8872b84e976530d8041718a71a98...
*High*
*1*
*HIGHEST*
*14*
*undertow-js-1.0.1.Final.jar*
*cpe:/a:redhat:undertow:1.0.1*
*io.undertow.js:undertow-js:1.0.1.Final
<
http://search.maven.org/#search|ga|1|1%3A%221c1c1e3c799a82530da95fa0be50f...
*Medium*
*1*
*LOW*
*20*
*cdi-api-1.2.jar*
*cpe:/a:redhat:jboss_weld:1.2*
*javax.enterprise:cdi-api:1.2
<
http://search.maven.org/#search|ga|1|1%3A%2253bba91dc3968adf411e076df020c...
*Medium*
*1*
*LOW*
*23*
*openjdk-orb-8.0.5.Final.jar*
*cpe:/a:oracle:openjdk:8.0.5*
*org.jboss.openjdk-orb:openjdk-orb:8.0.5.Final*
*Low*
*1*
*LOW*
*19*
*cxf-services-sts-core-3.1.4.jar*
*cpe:/a:apache:cxf:3.1.4*
*org.apache.cxf.services.sts:cxf-services-sts-core:3.1.4
<
http://search.maven.org/#search|ga|1|1%3A%2236b5859fdff1fb6e185a4be915be9...
*Medium*
*3*
*LOW*
*22*
*cxf-xjc-dv-3.0.5.jar*
*cpe:/a:apache:cxf:3.0.5*
*org.apache.cxf.xjcplugins:cxf-xjc-dv:3.0.5
<
http://search.maven.org/#search|ga|1|1%3A%225293323564e2610b67b515d3d4d62...
*Medium*
*4*
*LOW*
*18*
*cxf-core-3.1.4.jar*
*cpe:/a:apache:cxf:3.1.4*
*org.apache.cxf:cxf-core:3.1.4
<
http://search.maven.org/#search|ga|1|1%3A%225387c3daecea4e2b4c7bf74c77e81...
*Medium*
*3*
*LOW*
*22*
*proton-j-0.8.jar*
*cpe:/a:apache:qpid:0.8
<
https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cve...
*org.apache.qpid:proton-j:0.8
<
http://search.maven.org/#search|ga|1|1%3A%22214f388165d45d593b050b3b36aac...
*Medium*
*10*
*HIGHEST*
*17*
*cpe:/a:apache:qpid_proton:0.8.0
<
https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cve...
*xalan-2.7.1.jbossorg-2.jar*
*cpe:/a:apache:xalan-java:2.7.1
<
https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cve...
*High*
*1*
*HIGHEST*
*29*
*jackson-core-asl-1.9.13.jar*
*cpe:/a:fasterxml:jackson:1.9.13*
*org.codehaus.jackson:jackson-core-asl:1.9.13
<
http://search.maven.org/remotecontent?filepath=org/codehaus/jackson/jacks...
*High*
*2*
*LOW*
*22*
*jackson-jaxrs-1.9.13.jar*
*cpe:/a:fasterxml:jackson:1.9.13*
*org.codehaus.jackson:jackson-jaxrs:1.9.13
<
http://search.maven.org/remotecontent?filepath=org/codehaus/jackson/jacks...
*High*
*2*
*LOW*
*21*
*jackson-mapper-asl-1.9.13.jar*
*cpe:/a:fasterxml:jackson:1.9.13*
*org.codehaus.jackson:jackson-mapper-asl:1.9.13
<
http://search.maven.org/remotecontent?filepath=org/codehaus/jackson/jacks...
*High*
*2*
*LOW*
*21*
*jackson-xc-1.9.13.jar*
*cpe:/a:fasterxml:jackson:1.9.13*
*org.codehaus.jackson:jackson-xc:1.9.13
<
http://search.maven.org/remotecontent?filepath=org/codehaus/jackson/jacks...
*High*
*2*
*LOW*
*21*
*wildfly-clustering-jgroups-extension-10.0.0.Final.jar*
*cpe:/a:redhat:jgroups:10.0.0*
*org.wildfly:wildfly-clustering-jgroups-extension:10.0.0.Final
<
http://search.maven.org/#search|ga|1|1%3A%227ff0f135e10d4f4afafd19ebb0320...
*High*
*1*
*LOW*
*21*
*mod_cluster-container-spi-1.3.1.Final.jar*
*cpe:/a:redhat:mod_cluster:1.3.1
<
https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cve...
*org.jboss.mod_cluster:mod_cluster-container-spi:1.3.1.Final*
*Medium*
*1*
*HIGHEST*
*18*
*mod_cluster-core-1.3.1.Final.jar*
*cpe:/a:redhat:mod_cluster:1.3.1
<
https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cve...
*org.jboss.mod_cluster:mod_cluster-core:1.3.1.Final*
*Medium*
*1*
*HIGHEST*
*18*
*jose-jwt-3.0.14.Final.jar*
*cpe:/a:redhat:resteasy:3.0.14*
*org.jboss.resteasy:jose-jwt:3.0.14.Final
<
http://search.maven.org/#search|ga|1|1%3A%228d28c3d644afac9c6bd4bae58d827...
*Medium*
*4*
*LOW*
*20*
*resteasy-atom-provider-3.0.14.Final.jar*
*cpe:/a:redhat:resteasy:3.0.14*
*org.jboss.resteasy:resteasy-atom-provider:3.0.14.Final
<
http://search.maven.org/#search|ga|1|1%3A%225031e899ec910ddf6945f73c03f3b...
*Medium*
*4*
*LOW*
*20*
*resteasy-cdi-3.0.14.Final.jar*
*cpe:/a:redhat:resteasy:3.0.14*
*org.jboss.resteasy:resteasy-cdi:3.0.14.Final
<
http://search.maven.org/#search|ga|1|1%3A%222748ad6a006334a2c330e49d3ad3e...
*Medium*
*4*
*LOW*
*20*
*resteasy-crypto-3.0.14.Final.jar*
*cpe:/a:redhat:resteasy:3.0.14*
*org.jboss.resteasy:resteasy-crypto:3.0.14.Final
<
http://search.maven.org/#search|ga|1|1%3A%22c46dcbebd503306b777402e9c2d78...
*Medium*
*4*
*LOW*
*20*
*resteasy-jackson-provider-3.0.14.Final.jar*
*cpe:/a:redhat:resteasy:3.0.14*
*org.jboss.resteasy:resteasy-jackson-provider:3.0.14.Final
<
http://search.maven.org/#search|ga|1|1%3A%2226d8c7b3d3dc933eba15c51ecd59a...
*Medium*
*4*
*LOW*
*20*
*resteasy-jackson2-provider-3.0.14.Final.jar*
*cpe:/a:redhat:resteasy:3.0.14*
*org.jboss.resteasy:resteasy-jackson2-provider:3.0.14.Final
<
http://search.maven.org/#search|ga|1|1%3A%227126a2267d2ed84472cca7bd78040...
*Medium*
*4*
*LOW*
*20*
*resteasy-jaxb-provider-3.0.14.Final.jar*
*cpe:/a:redhat:resteasy:3.0.14*
*org.jboss.resteasy:resteasy-jaxb-provider:3.0.14.Final
<
http://search.maven.org/#search|ga|1|1%3A%2239ae9c24c9ea5e0b4e6fedf997cff...
*Medium*
*4*
*LOW*
*20*
*async-http-servlet-3.0-3.0.14.Final.jar*
*cpe:/a:redhat:resteasy:3.0.14*
*org.jboss.resteasy:async-http-servlet-3.0:3.0.14.Final
<
http://search.maven.org/#search|ga|1|1%3A%22cbd82bbdb368bc92cac6ea8b90ba4...
*Medium*
*4*
*LOW*
*19*
*resteasy-jaxrs-3.0.14.Final.jar*
*cpe:/a:redhat:resteasy:3.0.14*
*org.jboss.resteasy:resteasy-jaxrs:3.0.14.Final
<
http://search.maven.org/#search|ga|1|1%3A%22a3974127a846dfe4dc5911f46c9dd...
*Medium*
*4*
*LOW*
*20*
*resteasy-jettison-provider-3.0.14.Final.jar*
*cpe:/a:redhat:resteasy:3.0.14*
*org.jboss.resteasy:resteasy-jettison-provider:3.0.14.Final
<
http://search.maven.org/#search|ga|1|1%3A%2295e252f48dd51a794831fa7cef859...
*Medium*
*4*
*LOW*
*20*
*resteasy-jsapi-3.0.14.Final.jar*
*cpe:/a:redhat:resteasy:3.0.14*
*org.jboss.resteasy:resteasy-jsapi:3.0.14.Final
<
http://search.maven.org/#search|ga|1|1%3A%2294674b630328841b9f1c8db7bca52...
*Medium*
*4*
*LOW*
*20*
*resteasy-json-p-provider-3.0.14.Final.jar*
*cpe:/a:redhat:resteasy:3.0.14*
*org.jboss.resteasy:resteasy-json-p-provider:3.0.14.Final
<
http://search.maven.org/#search|ga|1|1%3A%225c43f9986593b9bf965ac498252c7...
*Medium*
*4*
*LOW*
*20*
*resteasy-multipart-provider-3.0.14.Final.jar*
*cpe:/a:redhat:resteasy:3.0.14*
*org.jboss.resteasy:resteasy-multipart-provider:3.0.14.Final
<
http://search.maven.org/#search|ga|1|1%3A%228a89bd4822758826ddd08e85c0b87...
*Medium*
*4*
*LOW*
*20*
*resteasy-spring-3.0.14.Final.jar*
*cpe:/a:redhat:resteasy:3.0.14*
*org.jboss.resteasy:resteasy-spring:3.0.14.Final
<
http://search.maven.org/#search|ga|1|1%3A%228c66bf3cb05b5c041d702c7f73b80...
*Medium*
*4*
*LOW*
*20*
*resteasy-validator-provider-11-3.0.14.Final.jar*
*cpe:/a:redhat:resteasy:3.0.14*
*org.jboss.resteasy:resteasy-validator-provider-11:3.0.14.Final
<
http://search.maven.org/#search|ga|1|1%3A%222b2cdf6d8210be1fabdde88eededc...
*Medium*
*4*
*LOW*
*21*
*resteasy-yaml-provider-3.0.14.Final.jar*
*cpe:/a:redhat:resteasy:3.0.14*
*org.jboss.resteasy:resteasy-yaml-provider:3.0.14.Final
<
http://search.maven.org/#search|ga|1|1%3A%2204b3a4d21ca93de9015d09ce53b53...
*Medium*
*4*
*LOW*
*20*
*jaxws-undertow-httpspi-1.0.1.Final.jar*
*cpe:/a:redhat:undertow:1.0.1*
*org.jboss.ws.projects:jaxws-undertow-httpspi:1.0.1.Final
<
http://search.maven.org/#search|ga|1|1%3A%229c9815d529f7b2cb5f714a6337c63...
*Medium*
*1*
*LOW*
*15*
*picketlink-common-2.5.5.SP1.jar*
*cpe:/a:picketlink:picketlink:2.5.5.sp1*
*org.picketlink:picketlink-common:2.5.5.SP1
<
http://search.maven.org/#search|ga|1|1%3A%22bae415804a1ebebca06b3cd10f331...
*Medium*
*3*
*LOW*
*14*
*picketlink-config-2.5.5.SP1.jar*
*cpe:/a:picketlink:picketlink:2.5.5.sp1*
*org.picketlink:picketlink-config:2.5.5.SP1*
*Medium*
*3*
*LOW*
*11*
*picketlink-api-2.5.5.SP1.jar*
*cpe:/a:picketlink:picketlink:2.5.5.sp1*
*org.picketlink:picketlink-api:2.5.5.SP1
<
http://search.maven.org/#search|ga|1|1%3A%22d241908e412703432d2ea2d3cb32b...
*Medium*
*3*
*LOW*
*14*
*picketlink-impl-2.5.5.SP1.jar*
*cpe:/a:picketlink:picketlink:2.5.5.sp1*
*org.picketlink:picketlink-impl:2.5.5.SP1
<
http://search.maven.org/#search|ga|1|1%3A%22f98726b18389968646aab6755dc9b...
*Medium*
*3*
*LOW*
*13*
*picketlink-wildfly8-2.5.5.SP1.jar*
*cpe:/a:picketlink:picketlink:2.5.5.sp1*
*org.picketlink.distribution:picketlink-wildfly8:2.5.5.SP1
<
http://search.maven.org/remotecontent?filepath=org/picketlink/distributio...
*Medium*
*3*
*LOW*
*22*
*picketlink-federation-2.5.5.SP1.jar*
*cpe:/a:picketlink:picketlink:2.5.5.sp1*
*org.picketlink:picketlink-federation:2.5.5.SP1
<
http://search.maven.org/#search|ga|1|1%3A%22c559de29d4309a3cc2d96a4e407a5...
*Medium*
*3*
*LOW*
*17*
*picketlink-idm-api-2.5.5.SP1.jar*
*cpe:/a:picketlink:picketlink:2.5.5.sp1*
*org.picketlink:picketlink-idm-api:2.5.5.SP1
<
http://search.maven.org/#search|ga|1|1%3A%227d2f839a879702ece8a3eb604514a...
*Medium*
*3*
*LOW*
*13*
*picketlink-idm-impl-2.5.5.SP1.jar*
*cpe:/a:picketlink:picketlink:2.5.5.sp1*
*org.picketlink:picketlink-idm-impl:2.5.5.SP1
<
http://search.maven.org/#search|ga|1|1%3A%228ef97a0fef20a795edf76ec7febc5...
*Medium*
*3*
*LOW*
*14*
*picketlink-idm-simple-schema-2.5.5.SP1.jar*
*cpe:/a:picketlink:picketlink:2.5.5.sp1*
*org.picketlink:picketlink-idm-simple-schema:2.5.5.SP1
<
http://search.maven.org/#search|ga|1|1%3A%2277a90ab547910752875a51bec0c2d...
*Medium*
*3*
*LOW*
*15*
*wildfly-clustering-jgroups-api-10.0.0.Final.jar*
*cpe:/a:redhat:jgroups:10.0.0*
*org.wildfly:wildfly-clustering-jgroups-api:10.0.0.Final*
*High*
*1*
*LOW*
*18*
*wildfly-clustering-jgroups-spi-10.0.0.Final.jar*
*cpe:/a:redhat:jgroups:10.0.0*
*org.wildfly:wildfly-clustering-jgroups-spi:10.0.0.Final*
*High*
*1*
*LOW*
*18*
*wildfly-iiop-openjdk-10.0.0.Final.jar*
*cpe:/a:oracle:openjdk:10.0.0*
*org.wildfly:wildfly-iiop-openjdk:10.0.0.Final*
*Low*
*1*
*LOW*
*18*
*wildfly-jberet-10.0.0.Final.jar*
*cpe:/a:redhat:jboss_wildfly_application_server:10.0.0
<
https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cve...
*org.wildfly:wildfly-jberet:10.0.0.Final*
*Medium*
*3*
*HIGHEST*
*19*
*keycloak-authz-policy-drools-3.2.1.Final.jar*
*cpe:/a:redhat:drools:3.2.1*
*org.keycloak:keycloak-authz-policy-drools:3.2.1.Final*
*High*
*1*
*LOW*
*18*
Many Thanks,
-Nirmal