securitykeycloakapiman

Apiman 2.0.0 security vulnerabilities


We have passed Apiman-2.0.0.final through security scans and came up with some critical/high vulnerabilities, mostly relevant to keycloak-core-10.0.2. Fixes for this vulnerability are available in higher versions of keycloak.

I would like to know how do you handle these scenarios. Should we repackage the war locally for us to use? We can create a pull request if it works. Should we open a Jira item? I cannot see 2.0.0 being supported on red hat Jira. https://issues.redhat.com/projects/APIMAN/summary


Solution

  • Please post issues on our GitHub issue tracker, not stack overflow https://github.com/apiman/apiman/issues

    We're using a newer version of Keycloak for the upcoming community release. You can indeed use your own separate Keycloak instance (recommended for a real deployment), rather than the one bundled in the quickstart.