CVE-2020-1724 — Insufficient Session Expiration in Redhat Keycloak

CWE-613 — Insufficient Session Expiration6 documents6 sources

Severity

4.3MEDIUMNVD

EPSS

0.1%

top 66.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Keycloak RED HAT Keycloak Redhat Single Sign-on

Timeline

PublishedMay 11

Latest updateMay 24

Description

A flaw was found in Keycloak in versions before 9.0.2. This flaw allows a malicious user that is currently logged in, to see the personal information of a previously logged out user in the account manager section.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶NVDredhat/keycloak< 9.0.2

▶CVEListV5red_hat/keycloakAll versions before 9.0.2

▶NVDredhat/single_sign-on7.0

🔴Vulnerability Details

GHSA

Keycloak Insufficient Session Expiry↗2022-05-24

▶

OSV

Keycloak Insufficient Session Expiry↗2022-05-24

▶

CVEList

CVE-2020-1724: A flaw was found in Keycloak in versions before 9↗2020-05-11

▶

📋Vendor Advisories

Red Hat

keycloak: problem with privacy after user logout↗2020-05-07

▶

💬Community

Bugzilla

CVE-2020-1724 keycloak: problem with privacy after user logout↗2020-02-07

▶