CVE-2020-1758 — Improper Validation of Certificate with Host Mismatch in Redhat Keycloak

CWE-297 — Improper Validation of Certificate with Host Mismatch CWE-295 — Improper Certificate Validation6 documents6 sources

Severity

5.9MEDIUMNVD

CNA5.3

EPSS

0.3%

top 51.20%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Keycloak RED HAT Keycloak Redhat Openstack

Timeline

PublishedMay 15

Latest updateFeb 9

Description

A flaw was found in Keycloak in versions before 10.0.0, where it does not perform the TLS hostname verification while sending emails using the SMTP server. This flaw allows an attacker to perform a man-in-the-middle (MITM) attack.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages3 packages

▶NVDredhat/keycloak< 10.0.0

▶CVEListV5red_hat/keycloakkeycloak versions before 10.0.0

▶NVDredhat/openstack10

🔴Vulnerability Details

OSV

Improper Certificate Validation and Improper Validation of Certificate with Host Mismatch in Keycloak↗2022-02-09

▶

GHSA

Improper Certificate Validation and Improper Validation of Certificate with Host Mismatch in Keycloak↗2022-02-09

▶

CVEList

CVE-2020-1758: A flaw was found in Keycloak in versions before 10↗2020-05-15

▶

📋Vendor Advisories

Red Hat

keycloak: improper verification of certificate with host mismatch could result in information disclosure↗2020-05-12

▶

💬Community

Bugzilla

CVE-2020-1758 keycloak: improper verification of certificate with host mismatch could result in information disclosure↗2020-03-11

▶