CVSS: 5.9EPSS: 0%CPEs: 2EXPL: 0CVE-2020-1758 – keycloak: improper verification of certificate with host mismatch could result in information disclosure
https://notcve.org/view.php?id=CVE-2020-1758
A flaw was found in Keycloak in versions before 10.0.0, where it does not perform the TLS hostname verification while sending emails using the SMTP server. This flaw allows an attacker to perform a man-in-the-middle (MITM) attack. Se encontró un fallo en Keycloak en versiones anteriores a 10.0.0, donde no se lleva a cabo una verificación del nombre de host TLS mientras se envía correos electrónicos utilizando el servidor SMTP. Este fallo permite a un atacante llevar a cabo un ataque de tipo man-in-the-middle (MITM). A flaw was found in Keycloak, where it does not perform the TLS hostname verification while sending emails using the SMTP server. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1758 https://issues.redhat.com/browse/KEYCLOAK-13285 https://access.redhat.com/security/cve/CVE-2020-1758 https://bugzilla.redhat.com/show_bug.cgi?id=1812514 • CWE-295: Improper Certificate Validation CWE-297: Improper Validation of Certificate with Host Mismatch •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2020-1724 – keycloak: problem with privacy after user logout
https://notcve.org/view.php?id=CVE-2020-1724
A flaw was found in Keycloak in versions before 9.0.2. This flaw allows a malicious user that is currently logged in, to see the personal information of a previously logged out user in the account manager section. Se encontró un fallo en Keycloak en versiones anteriores a 9.0.2. Este fallo permite a un usuario malicioso que actualmente está registrado, visualizar la información personal de un usuario que previamente a cerrado sesión en la sección del administrador de la cuenta. A flaw was found in Keycloak. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1724 https://access.redhat.com/security/cve/CVE-2020-1724 https://bugzilla.redhat.com/show_bug.cgi?id=1800527 • CWE-613: Insufficient Session Expiration •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-1698 – keycloak: Password leak by logged exception in HttpMethod class
https://notcve.org/view.php?id=CVE-2020-1698
A flaw was found in keycloak in versions before 9.0.0. A logged exception in the HttpMethod class may leak the password given as parameter. The highest threat from this vulnerability is to data confidentiality. Se detectó un fallo en keycloak en versiones anteriores a 9.0.0. Una excepción registrada en la clase HttpMethod puede filtrar la contraseña dada como parámetro. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1698 https://access.redhat.com/security/cve/CVE-2020-1698 https://bugzilla.redhat.com/show_bug.cgi?id=1790292 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2020-10686
https://notcve.org/view.php?id=CVE-2020-10686
A flaw was found in Keycloak version 8.0.2 and 9.0.0, and was fixed in Keycloak version 9.0.1, where a malicious user registers as oneself. The attacker could then use the remove devices form to post different credential IDs and possibly remove MFA devices for other users. Se encontró un fallo en Keycloak versión 8.0.2 y 9.0.0, y se corrigió en Keycloak versión 9.0.1, donde un usuario malicioso se registra como uno mismo. El atacante podría luego usar el formulario de eliminar dispositivos para publicar diferentes ID de credenciales y posiblemente eliminar dispositivos MFA para otros usuarios. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10686 • CWE-285: Improper Authorization •
CVSS: 5.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-1728 – keycloak: security headers missing on REST endpoints
https://notcve.org/view.php?id=CVE-2020-1728
A vulnerability was found in all versions of Keycloak where, the pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses. This does not directly lead to a security issue, yet it might aid attackers in their efforts to exploit other problems. The flaws unnecessarily make the servers more prone to Clickjacking, channel downgrade attacks and other similar client-based attack vectors. Se detectó una vulnerabilidad en todas las versiones de Keycloak donde, las páginas en el área Admin Console de la aplicación, carecen completamente de encabezados de seguridad HTTP generales en las respuestas HTTP. Esto no conlleva directamente a un problema de seguridad, sin embargo podría ayudar a atacantes en sus esfuerzos para explotar otros problemas. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1728 https://access.redhat.com/security/cve/CVE-2020-1728 https://bugzilla.redhat.com/show_bug.cgi?id=1800585 • CWE-358: Improperly Implemented Security Check for Standard CWE-1021: Improper Restriction of Rendered UI Layers or Frames •