CVE-2020-1694 — Permissive List of Allowed Inputs in Redhat Keycloak

CWE-183 — Permissive List of Allowed Inputs CWE-732 — Incorrect Permission Assignment6 documents6 sources

Severity

4.9MEDIUMNVD

EPSS

0.3%

top 48.96%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Keycloak

Timeline

PublishedSep 16

Latest updateFeb 9

Description

A flaw was found in all versions of Keycloak before 10.0.0, where the NodeJS adapter did not support the verify-token-audience. This flaw results in some users having access to sensitive information outside of their permissions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages2 packages

▶NVDredhat/keycloak< 10.0.0

▶CVEListV5redhat/keycloakall versions before 10.0.0

🔴Vulnerability Details

OSV

Incorrect Permission Assignment for Critical Resource and Permissive List of Allowed Inputs in Keycloak↗2022-02-09

▶

GHSA

Incorrect Permission Assignment for Critical Resource and Permissive List of Allowed Inputs in Keycloak↗2022-02-09

▶

CVEList

CVE-2020-1694: A flaw was found in all versions of Keycloak before 10↗2020-09-16

▶

📋Vendor Advisories

Red Hat

keycloak: verify-token-audience support is missing in the NodeJS adapter↗2020-07-02

▶

💬Community

Bugzilla

CVE-2020-1694 keycloak: verify-token-audience support is missing in the NodeJS adapter↗2020-01-14

▶