CVE-2020-1744Improper Handling of Exceptional Conditions in Redhat Keycloak

CWE-755Improper Handling of Exceptional ConditionsCWE-200Sensitive Information Exposure6 documents6 sources
Severity
5.6MEDIUMNVD
EPSS
0.3%
top 43.77%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Redhat KeycloakRED HAT Keycloak
Timeline
PublishedMar 24
Latest updateSep 20

Description

A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle this events.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:LExploitability: 2.2 | Impact: 3.4

Affected Packages2 packages

NVDredhat/keycloak< 9.0.1
CVEListV5red_hat/keycloakall keycloak versions prior to 9.0.1

🔴Vulnerability Details

3
OSV
Exposure of Sensitive Information in keycloak2021-09-20
GHSA
Exposure of Sensitive Information in keycloak2021-09-20
CVEList
CVE-2020-1744: A flaw was found in keycloak before version 92020-03-24

📋Vendor Advisories

1
Red Hat
keycloak: failedLogin Event not sent to BruteForceProtector when using Post Login Flow with Conditional-OTP2020-03-23

💬Community

1
Bugzilla
CVE-2020-1744 keycloak: failedLogin Event not sent to BruteForceProtector when using Post Login Flow with Conditional-OTP2020-02-21
CVE-2020-1744 — Redhat Keycloak vulnerability | cvebase