CVE-2020-10734

CWE-352 — Cross-Site Request Forgery (CSRF)CWE-601 — Open Redirect6 documents6 sources

Severity

3.3LOW

EPSS

0.0%

top 94.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Jboss Fuse Redhat Single Sign-on

Timeline

PublishedFeb 11

Latest updateApr 28

Description

A vulnerability was found in keycloak in the way that the OIDC logout endpoint does not have CSRF protection. Versions shipped with Red Hat Fuse 7, Red Hat Single Sign-on 7, and Red Hat Openshift Application Runtimes are believed to be vulnerable.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:LExploitability: 1.8 | Impact: 1.4

Affected Packages4 packages

▶Mavenorg.keycloak:keycloak-oidc-client-adapter-pom< 18.0.0

▶NVDredhat/single_sign-on7.0

▶CVEListV5keycloakAs shipped with Red Hat Fuse 7, Red Hat Single Sign-on 7, and Red Hat Openshift Application Runtimes

▶NVDredhat/jboss_fuse7.0.0

🔴Vulnerability Details

OSV

OIDC Logout redirect in keycloak↗2022-04-28

▶

GHSA

OIDC Logout redirect in keycloak↗2022-04-28

▶

CVEList

CVE-2020-10734: A vulnerability was found in keycloak in the way that the OIDC logout endpoint does not have CSRF protection↗2021-02-11

▶

📋Vendor Advisories

Red Hat

keycloak: OIDC logout endpoint CSRF↗2021-02-10

▶

💬Community

Bugzilla

CVE-2020-10734 keycloak: OIDC logout endpoint CSRF↗2020-05-05

▶