CVE-2020-1728
keycloak: security headers missing on REST endpoints
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A vulnerability was found in all versions of Keycloak where, the pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses. This does not directly lead to a security issue, yet it might aid attackers in their efforts to exploit other problems. The flaws unnecessarily make the servers more prone to Clickjacking, channel downgrade attacks and other similar client-based attack vectors.
Se detectó una vulnerabilidad en todas las versiones de Keycloak donde, las páginas en el área Admin Console de la aplicación, carecen completamente de encabezados de seguridad HTTP generales en las respuestas HTTP. Esto no conlleva directamente a un problema de seguridad, sin embargo podría ayudar a atacantes en sus esfuerzos para explotar otros problemas. Los fallos innecesariamente hacen a los servidores más propensos a un secuestro del cliqueo, ataques de degradación de canal y otros vectores de ataque similares basados en el cliente.
A flaw was found in Keycloak’s Admin Console, where it is missing HTTP security headers in HTTP responses. This issue is not a direct vulnerability and may not lead to a security issue, but increases the chances of allowing attackers to exploit other security flaws. Examples of these possible exploits are servers being prone to clickjacking, channel downgrade attacks, and other similar client-based attack vectors.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-11-27 CVE Reserved
- 2020-04-06 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-04 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-358: Improperly Implemented Security Check for Standard
- CWE-1021: Improper Restriction of Rendered UI Layers or Frames
CAPEC
References (3)
URL | Tag | Source |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1728 | 2023-11-07 | |
https://access.redhat.com/security/cve/CVE-2020-1728 | 2020-10-14 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1800585 | 2020-10-14 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Redhat Search vendor "Redhat" | Keycloak Search vendor "Redhat" for product "Keycloak" | < 10.0.0 Search vendor "Redhat" for product "Keycloak" and version " < 10.0.0" | - |
Affected
| ||||||
Quarkus Search vendor "Quarkus" | Quarkus Search vendor "Quarkus" for product "Quarkus" | <= 1.4.2 Search vendor "Quarkus" for product "Quarkus" and version " <= 1.4.2" | - |
Affected
|