CVE-2020-14366 — Path Traversal in Redhat Keycloak

CWE-22 — Path Traversal8 documents7 sources

Severity

7.5HIGHNVD

CNA6.8

EPSS

0.4%

top 40.29%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Keycloak RED HAT Keycloak

Timeline

PublishedNov 9

Latest updateFeb 9

Description

A vulnerability was found in keycloak, where path traversal using URL-encoded path segments in the request is possible because the resources endpoint applies a transformation of the url path to the file path. Only few specific folder hierarchies can be exposed by this flaw

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDredhat/keycloak< 12.0.0

▶CVEListV5red_hat/keycloakbefore (excluding) 12.0.0

🔴Vulnerability Details

OSV

Path Traversal↗2022-02-09

▶

GHSA

Path Traversal↗2022-02-09

▶

CVEList

CVE-2020-14366: A vulnerability was found in keycloak, where path traversal using URL-encoded path segments in the request is possible because the resources endpoint↗2020-11-09

▶

💥Exploits & PoCs

Exploit-DB

Stock Management System 1.0 - 'brandId and categoriesId' SQL Injection↗2020-10-23

▶

Exploit-DB

Stock Management System 1.0 - Cross-Site Request Forgery (Change Username)↗2020-09-02

▶

📋Vendor Advisories

Red Hat

keycloak: path traversal in resources↗2020-11-04

▶

💬Community

Bugzilla

CVE-2020-14366 keycloak: path traversal in resources↗2020-08-18

▶