Bug 1805792 (CVE-2020-1744)
Summary: | CVE-2020-1744 keycloak: failedLogin Event not sent to BruteForceProtector when using Post Login Flow with Conditional-OTP | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aboyko, aileenc, avibelli, bgeorges, chazlett, cmoulliard, dkreling, drieden, ggaughan, gmalinko, ikanello, janstey, jbalunas, jochrist, jpallich, jwon, krathod, lthon, mszynkie, pdrozd, pgallagh, pjindal, rruss, security-response-team, sthorger |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | keycloak 9.0.1 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in keycloak. BruteForceProtector does not handle Conditional OTP Authentication Flow login failure events due to these events not being sent to the brute force protection event queue. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-03-23 22:31:52 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1805793 |
Description
Pedro Sampaio
2020-02-21 14:54:50 UTC
pull request: https://github.com/keycloak/keycloak-prod/pull/266 This issue has been addressed in the following products: Red Hat Single Sign-On 7.3 for RHEL 7 Via RHSA-2020:0946 https://access.redhat.com/errata/RHSA-2020:0946 This issue has been addressed in the following products: Red Hat Single Sign-On 7.3 for RHEL 8 Via RHSA-2020:0947 https://access.redhat.com/errata/RHSA-2020:0947 This issue has been addressed in the following products: Red Hat Single Sign-On 7.3 for RHEL 6 Via RHSA-2020:0945 https://access.redhat.com/errata/RHSA-2020:0945 This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2020:0951 https://access.redhat.com/errata/RHSA-2020:0951 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-1744 This issue has been addressed in the following products: Red Hat Runtimes Spring Boot 2.2.6 Via RHSA-2020:2252 https://access.redhat.com/errata/RHSA-2020:2252 This issue has been addressed in the following products: Red Hat Openshift Application Runtimes Via RHSA-2020:2905 https://access.redhat.com/errata/RHSA-2020:2905 |