Main Vulnerability Database SB2020040631

SB2020040631 - Missing security restrictions in Keycloak

Published: April 6, 2020 Updated: October 9, 2020

Security Bulletin ID SB2020040631

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Protection Mechanism Failure (CVE-ID: CVE-2020-1728)

The vulnerability allows a remote attacker to bypass expected security restrictions.

The vulnerability exists due to the Admin Console area in Keycloak is completely missing general HTTP security headers in HTTP-responses. This does not directly lead to a security issue, yet it might aid attackers in their efforts to exploit other problems. The flaws unnecessarily make the servers more prone to Clickjacking, channel downgrade attacks and other similar client-based attack vectors.

Remediation

Install update from vendor's website.

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1728