High Sev vulnerability found in Snyk scan:

Detailed paths and remediation

• Introduced through: @janus-idp/backstage-plugin-keycloak-backend@1.5.7 › @keycloak/keycloak-admin-client@18.0.2 › axios@0.26.1
  Fix: Upgrade to @keycloak/keycloak-admin-client@21.1.0
   

•  

  Security information

  Factors contributing to the scoring: * Snyk: CVSS 7.1 - High Severity

• NVD: Not available. NVD has not yet published its analysis.

[ Why are the scores different? Learn how Snyk evaluates vulnerability scores |https://docs.snyk.io/features/fixing-and-prioritizing-issues/issue-management/severity-levels#understanding-snyks-vulnerability-analysis]

Overview

axios is a promise-based HTTP client for the browser and Node.js.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) due to inserting the X-XSRF-TOKEN header using the secret XSRF-TOKEN cookie value in all requests to any server when the XSRF-TOKEN0 cookie is available, and the withCredentials setting is turned on. If a malicious user manages to obtain this value, it can potentially lead to the XSRF defence mechanism bypass.