Maven · repo1.maven.org
org.operaton.bpm.extension:operaton-keycloak-all
Java Dynamic Classload: URLClassLoader / defineClass — runs attacker-provided bytecode.
Why PkgRadar flagged 2.2.0-M1
| Severity | Signal | Evidence |
|---|---|---|
| medium | Java Dynamic Classload | URLClassLoader / defineClass — runs attacker-provided bytecode. · keycloakjar/org/springframework/aot/nativex/feature/ThrowawayClassLoader.java |
| medium | Java Dynamic Classload | URLClassLoader / defineClass — runs attacker-provided bytecode. · keycloakjar/org/springframework/cglib/core/AbstractClassGenerator.java |
| medium | Java Dynamic Classload | URLClassLoader / defineClass — runs attacker-provided bytecode. · keycloakjar/org/springframework/cglib/core/ReflectUtils.java |
| medium | Java Dynamic Classload | URLClassLoader / defineClass — runs attacker-provided bytecode. · keycloakjar/org/springframework/cglib/transform/AbstractClassLoader.java |
| medium | Java Unsafe Deserialize | ObjectInputStream / XStream.fromXML — untrusted deserialization sink. · keycloakjar/org/springframework/core/ConfigurableObjectInputStream.java |
| medium | Java Dynamic Classload | URLClassLoader / defineClass — runs attacker-provided bytecode. · keycloakjar/org/springframework/core/OverridingClassLoader.java |
| medium | Java Dynamic Classload | URLClassLoader / defineClass — runs attacker-provided bytecode. · keycloakjar/org/springframework/core/SmartClassLoader.java |
| medium | Java Unsafe Deserialize | ObjectInputStream / XStream.fromXML — untrusted deserialization sink. · keycloakjar/org/springframework/util/SerializationUtils.java |
| medium | Java Unsafe Deserialize | ObjectInputStream / XStream.fromXML — untrusted deserialization sink. · keycloakjar/org/springframework/objenesis/instantiator/basic/ObjectInputStreamInstantiator.java |
| medium | Java Static Init Side Effect | Static-initializer block contains process/network/reflection — runs on first class load (contributory signal). · keycloakjar/org/springframework/web/client/DefaultRestClientBuilder.java |
| medium | Java Static Init Side Effect | Static-initializer block contains process/network/reflection — runs on first class load (contributory signal). · keycloakjar/org/springframework/core/io/support/PathMatchingResourcePatternResolver.java |
| medium | Java Static Init Side Effect | Static-initializer block contains process/network/reflection — runs on first class load (contributory signal). · keycloakjar/org/springframework/util/MimeTypeUtils.java |
Scanned versions
| Version | Verdict | Score | Scanned (UTC) |
|---|---|---|---|
2.2.0-M1 | Review | 136 | 2026-06-19 |
Block this in CI
pkgradar gate --ecosystem maven org.operaton.bpm.extension:[email protected]