Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2020-10770Server-Side Request Forgery in Redhat Keycloak

CWE-918Server-Side Request ForgeryCWE-601Open Redirect10 documents10 sources
Severity
5.3MEDIUMNVD
EPSS
92.3%
top 0.28%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Redhat Keycloak
Timeline
PublishedDec 15
Latest updateSep 26

Description

A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

NVDredhat/keycloak< 12.0.2
CVEListV5redhat/keycloakkeycloak 13.0.0

🔴Vulnerability Details

4
GHSA
Keycloak vulnerable to Server-Side Request Forgery2022-05-24
OSV
Keycloak vulnerable to Server-Side Request Forgery2022-05-24
CVEList
CVE-2020-10770: A flaw was found in Keycloak before 132020-12-15
VulnCheck
Red Hat keycloak Server-Side Request Forgery (SSRF)2020

💥Exploits & PoCs

2
Exploit-DB
Keycloak 12.0.1 - 'request_uri ' Blind Server-Side Request Forgery (SSRF) (Unauthenticated)2021-10-13
Nuclei
Keycloak <= 12.0.1 - request_uri Blind Server-Side Request Forgery (SSRF)

📋Vendor Advisories

1
Red Hat
keycloak: Default Client configuration is vulnerable to SSRF using "request_uri" parameter2020-11-26

💬Community

2
HackerOne
SSRF Keycloak before 13.0.0 - CVE-2020-10770 on https://sponsoredata.mtn.ci2024-09-26
Bugzilla
CVE-2020-10770 keycloak: Default Client configuration is vulnerable to SSRF using "request_uri" parameter2020-06-11
CVE-2020-10770 — Server-Side Request Forgery in Redhat | cvebase