CVSS: 5.9EPSS: 0%CPEs: 2EXPL: 0CVE-2020-1758 – keycloak: improper verification of certificate with host mismatch could result in information disclosure
https://notcve.org/view.php?id=CVE-2020-1758
A flaw was found in Keycloak in versions before 10.0.0, where it does not perform the TLS hostname verification while sending emails using the SMTP server. This flaw allows an attacker to perform a man-in-the-middle (MITM) attack. Se encontró un fallo en Keycloak en versiones anteriores a 10.0.0, donde no se lleva a cabo una verificación del nombre de host TLS mientras se envía correos electrónicos utilizando el servidor SMTP. Este fallo permite a un atacante llevar a cabo un ataque de tipo man-in-the-middle (MITM). A flaw was found in Keycloak, where it does not perform the TLS hostname verification while sending emails using the SMTP server. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1758 https://issues.redhat.com/browse/KEYCLOAK-13285 https://access.redhat.com/security/cve/CVE-2020-1758 https://bugzilla.redhat.com/show_bug.cgi?id=1812514 • CWE-295: Improper Certificate Validation CWE-297: Improper Validation of Certificate with Host Mismatch •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2020-1718 – keycloak: security issue on reset credential flow
https://notcve.org/view.php?id=CVE-2020-1718
A flaw was found in the reset credential flow in all Keycloak versions before 8.0.0. This flaw allows an attacker to gain unauthorized access to the application. Se encontró un fallo en el flujo de restablecimiento de credenciales en todas las versiones de Keycloak versiones anteriores a 8.0.0. Este fallo permite a un atacante obtener acceso no autorizado a la aplicación. A flaw was found in the reset credential flow in Keycloak. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1718 https://access.redhat.com/security/cve/CVE-2020-1718 https://bugzilla.redhat.com/show_bug.cgi?id=1796756 • CWE-287: Improper Authentication •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2020-1724 – keycloak: problem with privacy after user logout
https://notcve.org/view.php?id=CVE-2020-1724
A flaw was found in Keycloak in versions before 9.0.2. This flaw allows a malicious user that is currently logged in, to see the personal information of a previously logged out user in the account manager section. Se encontró un fallo en Keycloak en versiones anteriores a 9.0.2. Este fallo permite a un usuario malicioso que actualmente está registrado, visualizar la información personal de un usuario que previamente a cerrado sesión en la sección del administrador de la cuenta. A flaw was found in Keycloak. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1724 https://access.redhat.com/security/cve/CVE-2020-1724 https://bugzilla.redhat.com/show_bug.cgi?id=1800527 • CWE-613: Insufficient Session Expiration •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-1698 – keycloak: Password leak by logged exception in HttpMethod class
https://notcve.org/view.php?id=CVE-2020-1698
A flaw was found in keycloak in versions before 9.0.0. A logged exception in the HttpMethod class may leak the password given as parameter. The highest threat from this vulnerability is to data confidentiality. Se detectó un fallo en keycloak en versiones anteriores a 9.0.0. Una excepción registrada en la clase HttpMethod puede filtrar la contraseña dada como parámetro. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1698 https://access.redhat.com/security/cve/CVE-2020-1698 https://bugzilla.redhat.com/show_bug.cgi?id=1790292 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2019-10170 – keycloak: script execution via realm management policy trigger
https://notcve.org/view.php?id=CVE-2019-10170
A flaw was found in the Keycloak admin console, where the realm management interface permits a script to be set via the policy. This flaw allows an attacker with authenticated user and realm management permissions to configure a malicious script to trigger and execute arbitrary code with the permissions of the application user. Se encontró un fallo en la consola de administración de Keycloak, donde la interfaz de administración de un realm permite establecer un script por medio de la política. Este fallo permite a un atacante con permisos de usuario autenticado y administración del realm configurar un script malicioso para activar y ejecutar código arbitrario con los permisos del usuario de la aplicación. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10170 https://access.redhat.com/security/cve/CVE-2019-10170 https://bugzilla.redhat.com/show_bug.cgi?id=1721295 • CWE-267: Privilege Defined With Unsafe Actions •