CVE-2020-1694
keycloak: verify-token-audience support is missing in the NodeJS adapter
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A flaw was found in all versions of Keycloak before 10.0.0, where the NodeJS adapter did not support the verify-token-audience. This flaw results in some users having access to sensitive information outside of their permissions.
Se encontró un fallo en todas las versiones de Keycloak versiones anteriores a 10.0.0, donde el adaptador NodeJS no admitía la verify-token-audience. Este fallo hace que algunos usuarios tengan acceso a información confidencial fuera de sus permisos
A flaw was found in Keycloak, where the NodeJS adapter did not support the verify-token-audience. This flaw results in some users having access to sensitive information outside of their permissions.
Red Hat Single Sign-On 7.4 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.4.1 serves as a replacement for Red Hat Single Sign-On 7.4.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include code execution and cross site scripting vulnerabilities.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-11-27 CVE Reserved
- 2020-07-02 CVE Published
- 2024-08-04 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-183: Permissive List of Allowed Inputs
- CWE-732: Incorrect Permission Assignment for Critical Resource
CAPEC
References (2)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=1790759 | 2020-07-02 | |
| https://access.redhat.com/security/cve/CVE-2020-1694 | 2020-07-02 |