CVE-2020-1728Improperly Implemented Security Check for Standard in Redhat Keycloak

CWE-358Improperly Implemented Security Check for StandardCWE-1021UI Misrepresentation / ClickjackingCWE-787Out-of-bounds Write7 documents6 sources
Severity
5.4MEDIUMNVD
CNA4.8
EPSS
0.1%
top 67.02%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Redhat KeycloakQuarkus
Timeline
PublishedApr 6
Latest updateFeb 21

Description

A vulnerability was found in all versions of Keycloak where, the pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses. This does not directly lead to a security issue, yet it might aid attackers in their efforts to exploit other problems. The flaws unnecessarily make the servers more prone to Clickjacking, channel downgrade attacks and other similar client-based attack vectors.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages2 packages

NVDredhat/keycloak< 10.0.0
NVDquarkus/quarkus1.4.2

🔴Vulnerability Details

3
OSV
Improper Restriction of Rendered UI Layers or Frames in Keycloak2020-04-15
GHSA
Improper Restriction of Rendered UI Layers or Frames in Keycloak2020-04-15
CVEList
CVE-2020-1728: A vulnerability was found in all versions of Keycloak where, the pages on the Admin Console area of the application are completely missing general HTT2020-04-06

📋Vendor Advisories

2
Red Hat
libsolv: Heap overflow2022-02-21
Red Hat
keycloak: security headers missing on REST endpoints2019-11-27

💬Community

1
Bugzilla
CVE-2020-1728 keycloak: security headers missing on REST endpoints2020-02-07
CVE-2020-1728 — Redhat Keycloak vulnerability | cvebase