Bug 1790292 (CVE-2020-1698)

Summary: CVE-2020-1698 keycloak: Password leak by logged exception in HttpMethod class
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aboyko, aileenc, akoufoud, alazarot, almorale, anstephe, avibelli, bgeorges, cbyrne, chazlett, cmacedo, cmoulliard, dffrench, dkreling, drieden, drusso, etirelli, ggaughan, gmalinko, ibek, ikanello, janstey, jbalunas, jmadigan, jochrist, jpallich, jshepherd, jstastny, jwon, krathod, kverlaen, lthon, mnovotny, mszynkie, ngough, paradhya, pdrozd, pgallagh, pjindal, pwright, rrajasek, rruss, rsynek, sdaley, security-response-team, sthorger, trepel
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: keycloak 9.0.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in keycloak. A logged exception in the HttpMethod class may leak the password given as parameter. The highest threat from this vulnerability is to data confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-05-06 07:54:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1790293    

Description Pedro Sampaio 2020-01-13 03:18:39 UTC 
A flaw was found in keycloack. A logged exception in the HttpMethod class may leak password given as parameter.

References:

https://issues.redhat.com/browse/KEYCLOAK-12638
Comment 1 Paramvir jindal 2020-01-16 04:46:40 UTC 
RHSSO 7.3.5 client adapters seem to be affected as they do ship keycloak-authz-client-4.8.15.Final-redhat-00001.jar
Comment 3 Paramvir jindal 2020-01-16 04:57:32 UTC 
Marking RHDM/PAM as not affected as they do not ship this class :

https://github.com/keycloak/keycloak/blob/master/authz/client/src/main/java/org/keycloak/authorization/client/util/HttpMethod.java#L106
Comment 9 Pedro Sampaio 2020-05-05 14:33:59 UTC 
Acknowledgments:

Name: Tobias Friedrich
Comment 12 errata-xmlrpc 2020-06-01 15:32:28 UTC 
This issue has been addressed in the following products:

  Red Hat Runtimes Spring Boot 2.2.6

Via RHSA-2020:2252 https://access.redhat.com/errata/RHSA-2020:2252
Comment 13 errata-xmlrpc 2020-07-23 07:04:08 UTC 
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes

Via RHSA-2020:2905 https://access.redhat.com/errata/RHSA-2020:2905