CVE-2020-1731 — Predictable from Observable State in Redhat Keycloak Operator

CWE-341 — Predictable from Observable State CWE-330 — Use of Insufficiently Random Values7 documents6 sources

Severity

9.8CRITICALNVD

CNA9.1

EPSS

0.4%

top 39.98%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Keycloak Operator RED HAT Keycloak

Timeline

PublishedMar 2

Latest updateOct 27

Description

A flaw was found in all versions of the Keycloak operator, before version 8.0.2,(community only) where the operator generates a random admin password when installing Keycloak, however the password remains the same when deployed to the same OpenShift namespace.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDredhat/keycloak_operator< 8.0.2

▶CVEListV5red_hat/keycloakall versions of keycloak operator before keycloak operator 8.0.2

🔴Vulnerability Details

GHSA

Predictable password in Keycloak↗2020-04-15

▶

OSV

Predictable password in Keycloak↗2020-04-15

▶

CVEList

CVE-2020-1731: A flaw was found in all versions of the Keycloak operator, before version 8↗2020-03-02

▶

📋Vendor Advisories

Red Hat

keycloak: generates same admin password while installation when deployed on same openshift namespace↗2020-02-25

▶

💬Community

Bugzilla

CVE-2020-25675 ImageMagick: outside the range of representable values of type 'long' and integer overflow at MagickCore/transform.c and MagickCore/image.c↗2020-10-27

▶

Bugzilla

CVE-2020-1731 keycloak: generates same admin password while installation when deployed on same openshift namespace↗2020-02-11

▶